Transparency 2.0

avatar Posted on May 17th, 2013 by Eduardo Ustaran

Telling people about the uses made of their personal information is probably the most widespread obligation across all data privacy frameworks around the world.  This derives from the fact that data privacy law has always been understood as a means to give people control – or at least a degree of control – over how others use their personal information.  Therefore, for individuals to be able to exercise the appropriate level of control, it is imperative that they are first told how their information will be used.  So irrespective of whether the use of that information is legitimised by an individual’s consent, there is still an overarching obligation to be transparent about personal data uses.  Recent developments confirm that this principle is still very much alive in the mindsets of regulators but also that compliance with the transparency obligation – as fundamental as it may be – is not without its challenges.

At one level, the growing use of increasingly sophisticated technology has made the role of privacy notices more crucial than ever before.  This is supported by the continuous output from regulatory authorities from all jurisdictions stressing the importance of explaining the uses made of data collected through users’ interaction with their devices in a clear and comprehensive manner.  In the EU, for example, the Opinions of the prolific Article 29 Working Party on issues like the deployment of cookies, the use of apps in smart devices and more recently in relation to the “purpose limitation” principle, consistently stress that as technology and data uses become more complex, the responsibility to provide a suitable explanation is even greater.  This has also been reflected in the proposed European Data Protection Regulation, which contains much more detailed transparency obligations than the current directive.  Outside Europe, guidance from the FTC in the USA and the Federal Privacy Commissioner in Canada in relation to mobile data uses emphasises exactly the same message.

The importance of privacy notices does not stop there.  The Regional Court of Berlin has recently upheld the claims made by a German consumer protection association against Apple for being too broad brush with their public privacy policy.  Apparently, the policy did not spell out specifically enough which uses applied to which types of data.  This is an eyebrow raising decision not just because of its potential effect on Apple, but because the structure of Apple’s policy is entirely in line with current market practice.  In a similar vein, the Global Privacy Enforcement Network – which comprises privacy regulators from all over the world – has launched its Internet Privacy Sweep initiative aimed at reviewing the quality of privacy notices of consumer facing websites globally.

However, the challenges faced by policy makers and data users alike are all too obvious to turn this issue into a simple matter of good notice or bad notice.  To begin with, research seems to indicate that only a very small proportion of Internet and mobile users actually read the privacy notices available.  As essential as transparency may be, the reality is that understanding an organisation’s data uses is not regarded as a priority in the context of accessing a service or making a transaction.  In addition, the complexity surrounding current technologies and data usage makes it very difficult for any organisation to explain in plain and clear terms how data will be used for the average individual to understand its implications.  On top of this, the size of devices such as smart phones and their applications – let alone glasses, household appliances, GPS watches or any other gadget without a proper screen – present another practical difficulty in terms of making the right amount of information available at the right time and in the right format.

All in all, traditional and unimaginative transparency mechanisms have their days numbered.  Long and legalistic privacy notices in particular are unlikely to serve their purpose going forward.  Whilst from a pure legal perspective, there is some merit in making sure that all possible information is available, there is a trend supported by at least some regulators to simplify the content of the notices as much as possible.  In recent years, regulators have also favoured a layered approach to the provision of privacy notices.  The next step in this evolution is the adoption of very short “contextual notices” that explain at the right time and in the right way, how certain user data will be used.  These types of notices are probably Internet and mobile players’ best chance of providing truly meaningful information when it matters.

In terms of content, the emphasis is likely to shift towards explaining how technology itself makes it possible for certain data to be collected and analysed.  In other words, the content of privacy notices will focus more specifically on explaining how the relevant technology works.  Looking further into the future, if screen sizes become smaller or disappear altogether, it is likely that some content will be replaced by icons and that privacy notices become akin to “nutritional labels”.  This is something that should be explored further by identifying key technological factors that may affect someone’s privacy – such as the use of cookies, behavioural tracking and location tracking – that could then have their own symbol and a universally accepted intrusiveness grade.  Certainly one to think about.  The transition from today’s predominantly lawyer-driven notices to a more down to earth approach to transparency about data uses will not happen overnight but the process has already started.

 

This article was first published in Data Protection Law & Policy in May 2013.

Posted in Uncategorized

.............................................................................................................................................

Cookie consent update – implied consent now widespread

avatar Posted on May 15th, 2013 by Phil Lee

Our latest EU cookie consent tracking table has just been published here.

Latest regional developments:

Our latest table reveals:

* ‘Implied consent’ is currently a valid solution for cookie compliance in nearly three-quarters of EEA Member States.

* Since our last update, cookie consent implementations have been introduced in Norway and Poland.

* Ongoing cookie regulatory developments in Denmark, the Netherlands, Slovenia and Spain.

Other notable developments

Aside from the regional developments shown in our table, other notable developments include:

* Growing recognition that cookie consent is every bit as relevant in mobile platforms as in desktop platforms – see, for example, the Working Party’s latest opinion on mobile apps (here).

* Major online players like Facebook and Google are adopting notice and choice solutions, likely driving wider industry compliance efforts (see here).

* Consumer protection and advertising regulatory bodies like the OFT and ASA are increasingly showing interest in online tracking and notice/choice issues (see here and here).

* Increasing co-operation between global DPAs on online privacy compliance issues (see here).

All in all, online privacy compliance continues to attract ever greater attention, both within data protection circles and from the wider regulatory environment.  As this issue continue to run and run, the picture emerging is that implied consent is the clear compliance front-runner – both from a regulatory and also from a market-adoption perspective.

Posted in Consent, Cookie rule, Profiling, Targeted advertising

.............................................................................................................................................

It’s time to dust off that privacy policy…

avatar Posted on May 2nd, 2013 by Katie Paxie

The Information Commissioner’s Office (“ICO”) has announced in the latest edition of its e-newsletter that it will be examining the privacy policies of 250 of the UK’s most popular websites during the week of 6 – 11 May 2013 as part of ‘Internet Sweep Day’. Each website will be reviewed to check whether it contains an accessible privacy policy in accordance with relevant UK and international laws.

The Internet Sweep Day initiative isn’t limited to just the UK, as the ICO is working in conjunction with other global data protection authorities. The results of the review will be collected and sent back to the Office of the Privacy Commissioner for Canada and a report of the findings will be published in the Autumn.

There is no word yet on which websites the ICO is set to consider, but this is yet another wake up call for businesses who haven’t started thinking about their public facing documents and policies to get cracking!

The announcement comes hot on the heels of updates to the enforcement section of the ICO’s website which show that the UK e-privacy enforcement space is certainly heating up and Google’s updates to its privacy policy in an attempt to comply with EU cookie consent rules.  Internal stakeholders who might be resistant to yet another review of an often overlooked part of any businesses website should be reminded that transparency is very likely to continue to be at the heart of the new European data protection framework.  It is most definitely time to get a head start now.

Tags: , ,
Posted in 95 directive, Accountability, Uncategorized

.............................................................................................................................................

BCR for processors get EU regulators’ vital endorsement

avatar Posted on May 1st, 2013 by Eduardo Ustaran

The fact that with everything that is going on in the world of data protection right now, the Article 29 Working Party has devoted a thorough 19 page explanatory document to clarifying and endorsing the role of BCR for Processors or “Binding Safe Processor Rules” is very telling. It is nearly 10 years since BCR was conceived and whilst the approval process is not precisely a walk in the park, much has been achieved in terms of its status, simplification and even international recognition. However, the idea of applying the same approach to an international group of vendors or to cloud service providers is still quite novel.

The prospect of the forthcoming EU data protection framework specifically recognising both flavours of BCR is obviously encouraging but right now, the support provided by the Working Party is invaluable. The benefits of BSPR are well documented – easier contractual arrangements for customers and suppliers, one stop shop in terms of data transfers compliance for cloud customers, no need for cumbersome model clauses… It sounds like a much needed panacea to overcome the tough EU restrictions on international data transfers affecting global outsourcing and data processing operations. But as in the early days of the traditional BCR, potential suitors need to know that the idea is workable and regulators will value the efforts made to achieve safe processor status.

Those who were already familiar with the previous opinions by the Working Party on BSPR – in particular WP195 – will not find the content of the new opinion particularly surprising. However, there are very useful and reassuring pointers in there, as highlighted by the following key statements and clarifications:

*    The outsourcing industry has been constant in its request for a new legal instrument that would allow for a global approach to data protection in the outsourcing business and officially recognise internal rules organisations may have implemented.

*    That kind of legal instrument would provide an efficient way to frame massive transfers made by a processor to subprocessors which part of the same organisation acting on behalf and under the instructions of a controller.

*    BCR for processors should be understood as adequate safeguards provided by the processor to the controller allowing the latter to comply with applicable EU data protection law.

*    However, BCR for processors do not aim to shift controllers’ duties to processors.

*    A processor’s organisation that have implemented BCR for processors will not need to sign contracts to frame transfers with each of the sub-processors part of its organisation as BCR for processors adduce safeguards to data transferred and processed on behalf and under the instructions of a controller.

*    BCR for processors already “approved” at EU level will be referred by the controller as the appropriate safeguards proposed for the international transfers.

*    Updates to the BCR for processors or to the list of the members of the BCR are possible without having to re-apply before the data protection authorities.

So in summary, and despite the detailed requirements that must be met, the overall approach of the Working Party is very “can do” and pragmatic. To finish things off in a collaborative manner, the Working Party points out at the end of the document that further input from interested circles and experts on the basis of the experience obtained will be welcomed. Keep it up!

 

Posted in Article 29 Working Party, Binding Corporate Rules, Binding Safe Processor Rules

.............................................................................................................................................

UK e-privacy enforcement ramps up

avatar Posted on April 29th, 2013 by Brian Davidson

The times when one could say that the UK ICO was a fluffy, teethless regulator are over. Recently, the ICO has been going through its most prolific period of enforcement activity – by the end of 2012 it had imposed 25 fines, issued 3 enforcement notices, secured 6 prosecutions and obtained 31 undertakings and 2013 looks set to bring similar activities (in March for example the ICO issued its first monetary penalty for a serious breach of the Privacy and Electronic Communications Regulations 2003 (‘PECR’) relating to live marketing calls – a £90,000 fine for Glasgow-based DM Design for unwanted marketing calls.

To coincide with such activities, the ICO has recently updated the enforcement section of its website. What this tells us is that whilst data security breaches will continue to be a significant area of focus for the ICO, PECR breaches will also figure highly in the ICO’s enforcement agenda. In this regard, the ICO tell us that it has already been active in the areas of ‘spam texts’, sales calls and cookies.

Spam texts are identified as ‘one of the biggest concerns to consumers’ (the ICO refers to texts about accident and ‘PPI’ claims, in particular) and refers to the work it has carried out with members of the mobile phone industry in order to identify an organisation which is now the subject of enforcement action. The ICO also identifes ‘Live’ Sales Calls and ‘Automated Calls’ as other areas of priority, and have explicitly identified (and published) the names of a number of companies where they have either met to discuss compliance issues; or indeed are in the process of activeley monitoring ‘concerns’ about compliance with a view to considering enforcement action. This is not only related to UK-based companies, but also those based overseas who are targeting UK-based consumers. The ICO tell us that they are actively working with the FTC in the US and with other regulators based in Ireland, Belgium and Spain through Consumer Protection Co-operation arrangements.

Finally the ICO tells us that between January and March 2013 it received a further 87 reported concerns via its website from individuals about cookies (many less than the amount of concerns about unwanted marketing communications from individuals, it has to be said). The ICO will continue to focus on those websites that are doing nothing to raise awareness of cookies or obtain users’ consent, and also on those sites they receive complaints about or are ‘visited most by consumers’. However the ICO also say that they have ‘maintained a consumer threat level of ‘low’ in this area due to the low level of concerns reported’.

It is obvious that as consumer technologies such as tablets and smart-phones continue to develop, so too will the ICO’s enforcement strategy in this area. Compliance with PECR should therefore also figure highly on any business’s data protection compliance strategy.

Tags: , , , ,
Posted in Cookie rule, Direct marketing, DPAs competence, Sanctions, Uncategorized

.............................................................................................................................................

CNIL unveils 2012 annual activity report

avatar Posted on April 29th, 2013 by Olivier Proust

On April 23rd, 2013, the French data protection authority (the “CNIL”) unveiled its 2012 Annual Activity Report (the “Report”). The CNIL’s Report gives an overview of the actions and initiatives undertaken in the past year, and is also a good indicator for what to expect in the coming year.

The CNIL has adopted a three-year strategic orientation program for the period 2012-2015. This action plan sets out three priorities, namely:

- To adopt a policy of openness and consultation towards stakeholders ;
- To raise the level of awareness among data controllers (particularly companies) and to help them develop tools that allow them to implement the data protection principles; and
- To increase the level of compliance through a more targeted and efficient enforcement policy.

Focusing on the CNIL’s enforcement strategy, the summary below highlights some of the key points in the CNIL’s Report:

- Complaints: The number of complaints has risen to 6000 in 2012. 46% of complaints concerned the right to object to the data processing. The constant rise of complaints over the past years indicates that citizens are more and more aware of their data protection rights and are taking action more frequently. The telecoms/internet sector appears to have triggered most of the complaints (31%).

- Inspections: The CNIL conducted 458 on-site inspections in 2012, which represents a 19% increase compared to 2011. 285 of the inspections were carried out in the context of the Data Protection Act, while 173 inspections concerned the use of videosurveillance equipment. With regard to the Data Protection Act, 23% of the inspections were triggered by complaints and another 26% were initiated by events picked up in the news. This shows that the CNIL often takes action when a particular event or situation makes the headlines. 40% of the inspections are in line with the priorities set out by the CNIL in its annual inspection’s plan, which shows some consistency in how the CNIL operates within a particular sector or business activity.

- Sanctions: In 2012, the CNIL served 43 formal notices asking data controllers to comply. In most of the cases, the CNIL did not pronounce any sanction because the data controller had complied. In total, the CNIL pronounced 13 sanctions, eight of which were made public. The publicity of the sanction follows a recent amendment of the Data Protection Act, which authorizes the CNIL to publish the sanction it pronounces. In the majority of cases, the sanction pronounced was a simple warning (56%), while fines were pronounced in only 25% of the cases. The CNIL pronounced only one injunction to cease the processing. The low number of fines can be explained by the fact they do not have a very deterrent effect for companies in France (by law, the maximum fine for a first violation is EUR 150,000). On the contrary, a warning can cause serious reputational damage to the data controller, particularly when it is made public, which may explain why the CNIL has chosen to publish its sanctions in 60% of the cases.

- Videosurveillance: In 2012, the CNIL carried out over 170 inspections of videosurveillance systems. In this context, the CNIL received more than 300 complaints, 75% of which concerned the use of video cameras at the workplace. The CNIL notes a lack of clarity surrounding the current legal framework for videosurveillance measures, the insufficient or inexistent information of individuals, the inappropriate use of cameras, and insufficient security measures. In 2012, the CNIL published six practical guidebooks, explaining how to use video cameras in compliance with the law.

- Data breach notifications: Following the implementation of the revised ePrivacy directive into French law, the CNIL received the first notifications for data breaches in the telecoms sector. While the total number of notifications for 2012 remains fairly low, the CNIL expects to receive more notifications in the coming year.

It is also worth noting that the CNIL’s budget and manpower have also increased in 2012. As the years pass by, the CNIL continues to grow and to become more resourceful. It is also more experienced and better organized. Thus, data controllers should pay close attention to the actions of the CNIL as it becomes a most powerful authority in France and within the European Union.

The CNIL’s 2012 Annual Activity Report is available (in French) at www.cnil.fr

Tags: , , , , , ,
Posted in Audits, Financial penalties, Sanctions, Uncategorized

.............................................................................................................................................

What will happen to Safe Harbor?

avatar Posted on April 27th, 2013 by Eduardo Ustaran

As data protection-related political dramas go, the debate about the suitability and future viability of Safe Harbor is right at the top. The truth is that even when the concept was first floated by the US Department of Commerce as a self-regulatory mechanism to enable personal data transfers between the EU and the USA, and avert the threat of a trade war, it was clear that the idea would prove controversial. The fact that an agreement was finally reached between the US Government and the European Commission after several years of negotiations did not settle the matter, and European data protection authorities have traditionally been more or less publicly critical of the arrangement. The level of discomfort with Safe Harbor as an adequate mechanism in accordance with European standards was made patently obvious in the Article 29 Working Party Opinion on cloud computing of 2012, which argued that sole self-certification with Safe Harbor would not be sufficient to protect personal data in a cloud environment.

The Department of Commerce has now issued its own clarifications in response to the concerns raised by the Working Party Opinion. Understandably, the Department of Commerce makes a fierce defence of Safe Harbor as an officially recognised mechanism, which was approved by the European Commission and cannot be dismissed by the EU regulators. That is and will always be correct. Whilst the clarifications do not go into the detail of the Working Party Opinion, they certainly confirm that as far as data transfers are concerned, a Safe Harbor certification provides a public guarantee of adequate protection under the scrutiny of the Federal Trade Commission.

Such robust remarks will be music to the ears of those US cloud computing service providers that have chosen to rely on Safe Harbor to show their European compliance credentials. But the debate is far from over. The European regulators are unlikely to change their mind any time soon and if their enforcement powers increase and allow them to go after cloud service providers directly (rather than their customers) as intended by the draft Data Protection Regulation, they will be keen to put those powers into practice. In addition, we are at least a year away from the new EU data protection legal framework being agreed but some of the stakeholders are using the opportunity of a new law to reopen the validity of Safe Harbor adding to the sense of uncertainty about its future.

If I were to make a prediction about what will happen to Safe Harbor, I would say that the chances of Safe Harbor disappearing altogether are nil. However, it is very likely that the European Commission will be forced to reopen the discussions about the content of the Safe Harbor Principles in an attempt to bring them closer to the requirements of the new EU framework and indeed Binding Corporate Rules. That may actually be a good outcome for everyone because it will help the US Government assert its position that Safe Harbor matches the desired privacy standards – particularly if some tweaks are eventually introduced to incorporate new elements of the EU framework – and it may address for once and for all the perennial concerns of the EU regulators.

 

Posted in Article 29 Working Party, Binding Corporate Rules, Cloud computing, Legislative reform

.............................................................................................................................................

BCR – addressing post-approval challenges

avatar Posted on April 23rd, 2013 by Brian Davidson

Everybody who has been paying attention to what is happening to the evolving European data protection framework knows that BCR will become the default mechanism to deal with international data transfers within global corporate groups. However one of the regulatory considerations that BCR applicants may not be aware of is the requirement to complete the various administrative formalities in all relevant EU Member States in order to confirm that data transfers can take place under the BCR. These formalities vary from one member state to another and derive from the fact that in some jurisdictions, the DPAs still have to provide a permit for transfers based on the safeguards provided for in the BCR.

The European Commission has recognised the challenges for applicants that are attempting to comply with these requirements in different member states by publishing a helpful ‘table of national administrative requirements’, however in practice the information provided for each member state can be insufficient for the purposes of making an application, either because it does not provide the full legal, administrative and practical requirements for making an application in a particular jurisdiction (for example does the documentation have to be submitted via postal mail or will electronic copies via email suffice?) or unfortunately does not contain any information at all (at the time of writing the table did not contain any applicable requirements for Cyprus, Finland, Latvia, Lithuania, Romania and Slovenia).

Our work with clients in this area has highlighted the broad range of requirements between member states. For example in Ireland, Norway and the UK, a simple email seeking a request for approval of the BCR and attaching a copy of the BCR authorisation granted by the ‘lead’ DPA in the initial cooperation/mutual recognition procedure as a courtesy will normally suffice. However, in Italy for example, the requirements are more comprehensive. This requires a Letter of Application in Italian and signed by an individual who can legally represent the applicable local Italian applicant entities. In addition, ‘sworn translations’ of all documents comprising the applicant BCR are required (‘sworn translations’ are a requirement under Italian administrative law and refer to translations executed by either an Italian law firm or from a translator approved by an Italian tribunal) to be sent via postal mail to the Italian Data Protection Authority, together with a fee of €1,000 for each applicant Italian entity (for an equivalent application in Poland the fees tend to be much lower; covering the small cost of stamp duty and submitting an applicable Power of Attorney).

The mutual recognition procedure, created in 2009 and to which 21 of the 27 EU Member States have signed up (to date), is designed to facilitate a speedier approval process of an applicant’s BCR. To recap, once the ‘lead’ DPA has approved the BCR, it then appoints two additional DPAs to further review and comment on the application to verify that it meets the requisite standard. It is then circulated to the remaining signatory DPAs in order to automatically approve the BCR, without further comment.

Although the mutual recognition procedure is designed to further streamline the overall BCR approval process, our recent experience with clients indicates that it can present challenges when dealing with DPAs – as the latter have to ensure that a BCR is in compliance with their own national interpretation of the EU Data Protection Directive before providing their approval – something which DPAs feel they may not have been able to achieve during the initial mutual-recognition process. As a result, DPAs may seek further information from applicants at the ‘post administrative’ permit stage – in spite of the mutual recognition procedure already having been brought to a close.

In spite of such challenges for both DPAs and applicants alike, we have found that any such issues can be overcome. Having a valid set of BCR approved by a lead DPA is a strong factor in being able to answer applicable questions from other DPAs; and because they will already be familiar with the BCR during the initial approval process, issues can be quickly settled.

Despite BCR being a big feature of the proposed General Data Protection Regulation, the approval process is set to become tougher under the proposed ‘consistency mechanism’ (see our earlier blog for an explanation why) therefore data controllers thinking of implementing BCR should do so now, and not later. Despite current post-approval challenges, the process for achieving BCR today is more streamlined than it’s ever been and BCR authorised now will remain in effect once the new Regulation becomes law.

Tags:
Posted in 95 directive, Binding Corporate Rules

.............................................................................................................................................

Poland and cookies – what’s the story?

avatar Posted on April 22nd, 2013 by Dominika Kupczyk

Last month Poland joined the club of EU Member States to implement Europe’s consent requirement for cookies set on users’  devices.  Rumoured to be one of the Member States contemplating strict opt-in, all eyes were watching to see how exactly it would implement the cookie consent rule.

Cookie rules

Poland’s cookie consent law entered into force only on 25 March 2013 and seemingly introduced an opt-in requirement before setting cookies - with potential fines of up to 3% of revenue for website operators in breach.

Specifically, the new law imposes an obligation to inform users in advance, in a clear, unambiguous and easily understandable manner about:

1)      The fact that cookies are being placed on their devices;

2)      The purposes for which cookies are used;

3)      The user’s right to access information about them; and

4)      The ability to accept or refuse the cookie.

Like most Member States, consent is not needed for strictly necessary cookies.

So does Poland really require opt-in?

During the legislative work on the amendment various approaches to valid consent form were proposed: implied, written and even signified through  a  simple “I accept” button. In the end, Article 173 (2) of the amended Telecommunication Law says that:

The subscriber or end user can express consent (…) by means of settings of a software installed on the telecommunication device they are using or through settings of the service

The two main regulator’s websites in Poland have both adopted an implied cookie consent banner approach and even the Polish Ministry of Administration and Digitization (Ministerstwo Administracji i Cyfracji)  has indicated it supports consent obtained through browser settings.  It is unclear whether this would extend to default browser settings.

What does this mean?

For businesses still building out their cookie consent strategy for the EU, this is good news: Poland was one of a couple of  ‘outlier’ states threatening to adopt strict opt-in consent for cookies.  Had it adopted strict opt-in as the standard for consent, businesses operating on a pan-EU basis would have had to implement a different consent solution for Poland than for other, more relaxed EU territories where they could instead rely on implied consent.

In the end, this hasn’t happened and the other key outlier territory, the Netherlands, also looks set to acknowledge the validity of implied consent in the very near future.  When the cookie consent rule first came into effect in Europe back in 2011, nobody knew what a robust but pragmatic cookie consent solution would look like; now, two years on, both business and regulators alike are increasingly settling on implied consent as the answer.

Posted in Consent, Cookie rule, Sanctions

.............................................................................................................................................

Big data means all data

avatar Posted on April 19th, 2013 by Eduardo Ustaran

There is an awesomeness factor in the way data about our digital comings and goings is being captured nowadays.  That awesomeness is such that it cannot even be described in numbers.  In other words, the concept of big data is not about size but about reach.  In the same way that the ‘wow’ of today’s computer memory will turn into a ‘so what’ tomorrow, references to terabytes of data are meaningless to define the power and significance of big data.  The best way to understand big data is to see it as a collection of all possible digital data.  Absolutely all of it.  Some of it will be trivial and most of it will be insignificant in isolation, but when put together its significance becomes clearer – at least to those who have the vision and astuteness to make the most of it.

Take transactional data as a starting point.  One purchase by one person is meaningful up to a point – so if I buy a cookery book, the retailer may be able to infer that I either know someone who is interested in cooking or I am interested in cooking myself.  If many more people buy the same book, apart from suggesting that it may be a good idea to increase the stock of that book, the retailer as well as other interested parties – publishers, food producers, nutritionists – could derive some useful knowledge from those transactions.  If I then buy cooking ingredients, the price of those items alone will give a picture of my spending bracket.  As the number of transactions increases, the picture gets clearer and clearer.  Now multiply the process for every shopper, at every retailer and every transaction.  You automatically have an overwhelming amount of data about what people do with their money – how much they spend, on what, how often and so on.  Is that useful information?  It does not matter, it is simply massive and someone will certainly derive value from it.  

That’s just the purely transactional stuff.  Add information about at what time people turn on their mobile phones, switch on the hot water or check their e-mail, which means of transportation they use to go where and when they enter their workplaces – all easily recordable.  Include data about browsing habits, app usage and means of communication employed.  Then apply a bit of imagination and think about this kind of data gathering in an Internet of Things scenario, where offline everyday activities are electronically connected and digitally managed.  Now add social networking interactions, blogs, tweets, Internet searches and music downloads.  And for good measure, include some data from your GPS, hairdresser and medical appointments, online banking activities and energy company.  When does this stop?  It doesn’t.  It will just keep growing.  It’s big data and is happening now in every household, workplace, school, hospital, car, mobile device and website.

What has happened in an uncoordinated but consistent manner is that all those daily activities have become a massive source of information which someone, somewhere is starting to make use of.  Is this bad?  Not necessarily.  So far, we have seen pretty benign and very positive applications of big data – from correctly spelt Internet searches and useful shopping recommendations to helpful traffic-free driving directions and even predictions in the geographical spread of contagious diseases.  What is even better is that, data misuses aside, the potential of this hugemongous amount of information is as big as the imagination of those who can get their hands on it, which probably means that we have barely started to scratch the surface of it all.

Our understanding of the potential of big data will improve as we become more comfortable and familiar with its dimensions but even now, it is easy to see its economic and social value.  But with value comes responsibility.  Just as those who extract and transport oil must apply utmost care to the handling of such precious but hazardous material, those who amass and manipulate humanity’s valuable data must be responsible and accountable for their part.  It is not only fair but entirely right that the greater the potential, the greater the responsibility, and that anyone entrusted with our information should be accountable to us all.  It should not be up to us to figure out and manage what others are doing with our data.  Frankly, that is simply unachievable in a big data world.  But even if we cannot measure the size of big data, we must still find a way to apportion specific and realistic responsibilities for its exploitation.

 

This article was first published in Data Protection Law & Policy in April 2013.

Posted in Big Data, Data as an asset, Profiling, Smartphones

.............................................................................................................................................
« Older Entries