Just because you can, does not always mean you should!
The exponential growth of available data (big data) means that big analytics and big research projects are expected to lead to big knowledge and thus big opportunities – but who benefits and who loses?
The privacy conundrum, as I call it, raises a three way battle between Governments that want access to all data, Consumers that give away all data and Businesses that want to use all data.
Businesses can use available expertise and technology to mine vast amounts of data that they control and can gain access to, but in doing so should they be white hat or black hat?
Well just because you can, does not always mean you should, and when it comes to research and analytics of personal data, you cannot afford to be black hat as the increasingly global nature of protection of the rights of individuals as regards their human rights and personal data means that the principles of fair processing apply. To be white hat means to be legal and ethical in the use of big data. To be black hat means that at some point big law and big enforcement will be calling!
Black hat -what’s the worst that can happen?
Most jurisdictions have data protection laws that incorporate the OECD Guidelines on Privacy and indeed many NGO and trade bodies like DMA and ESOMAR have codes of conduct that also incorporate those same principles. These principles are:
• Collection limitation
• Data quality
• Purpose specification
• Use limitation
• Security safeguards
• Individual participation
All of these principles impact on research and analytics players be they white hat or black hat.
For one moment let’s turn our attention to individual participation: permissions and consents. To assume that individuals either do not care about what happens to their personal data, or nor understand privacy notices nor bother reading them, nor actually appreciate push technology, is risky if not foolhardy! Consumers are getting empowerment. At the European Data Governance Forum on 8th December at UNESCO in Paris, Manuel Valls, Prime Minister of France, said: ” Rather than big data we need Magna Data” referencing Magna Carta and the need for an internet Bill of Rights – something called for by Sir Tim Berners Lee, the founder of the World Wide Web.
So what about empowerment of the consumer and the right to be forgotten and its impact on us? Well it is already enshrined in French law and is based on droit a l’oubli (right to oblivion), and indeed the right to be forgotten is part of the current draft general data protection regulation, extending the current rights of a data subject to have their information corrected, deleted or suppressed; particularly where it is being processed unfairly and unlawfully. Therefore, the right to be forgotten could impact any business that is a controller. The costs of managing a right to be forgotten are considerable. Controllers of personal data need to have in place suitable policies and procedures to ensure that they have the ability to “remember” where personal data is of the individual that wishes to be “forgotten”. Any business that has had to respond regularly to subject access requests will already know that this can be an expensive exercise and requires technical and organizational processes. Whereas a subject access request requires certain assessments over what personal data can be disclosed and what personal data can be retained, the right to be forgotten now imposes an obligation to carry out an assessment by the controller of the individuals’ rights against those of public interest.
As more and more individuals become aware of their data protection rights and remedies, it is inevitable that businesses that regularly process large volumes of personal data will be subject to considerably more and more demands from data subjects to have knowledge of what personal data about them is being processed as well as challenging the right to process. Without both technical and organizational procedures in place businesses that receive subject access requests or requests or an exercise of the right to be forgotten, may find themselves caught between the regulator and the courts. Data protection authorities tend to take a reasonable approach towards controllers that seek to comply with the law or are “seen to be moving in the right direction” and therefore, doing nothing in the light of the ECJ decision is a recipe for disaster.
The ECJ decision raises not only legal but also ethical issues. Before global communication and well before the internet, publication in the press of an individual’s indiscretion or misfeasance was relatively short lived. It was often said that today’s news is tomorrow’s fish and chip paper. Even before that in small communities the fact of an individual’s inappropriate behaviour or criminal activities was something that was talked about and an individual had to live with that or in the worst case, move away. The droit a l’oubli was based on the notion that when a criminal had paid his dues and done his time he should have his record expunged. The impact of the internet, big data and global communication means that nothing is forgotten and everything is remembered.
However, because it is there does not mean we should always scrape every scrap of information we can.
The powers and impetus on privacy regulators to enforce and fine those that do not comply with data protection laws increases month on month and whilst fines and regulatory actions should be a deterrent, it is the “naming and shaming” and the loss of trust that should make black hat want to be white hat!
So be white hat
Data is the oil of the internet and a major asset, if not the major asset, for most businesses. However if personal data has neither been obtained nor processed fairly, transparently and lawfully, then it is toxic waste. If your business is valued on the basis of your data, be sure it is worth the paper it is not written.
If personal data is oil, don’t have a gusher. The more data you have, the more you have to lose and the more you may be robbed.
Be white hat and apply not only the law to your practices but also privacy by design and ethical behaviour.
Differentiate yourself from your competitors by being a trusted custodian of personal data.
Robert Bond, December 2014
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance on the EU General Data Protection Regulation (GDPR) or other statutory measures referred to.