Big Data is trending, and will certainly remain so for quite some time, as I see it at least. And yes, Big Data does certainly open lots of possibilities and opportunities. No doubt about that. So let me be clear (especially since I am a lawyer): I am a big fan of Big Data and I am absolutely embracing this phenomenon. So, you are dealing with a believer here.
But still, one cannot deny that Big Data is also a hot issue legally – especially if it comes to privacy. It makes the news, almost on a daily basis. For example, earlier this week the Dutch Consumers’ Association [in Dutch: “deConsumentenbond”] pleaded for more transparency by smart TV suppliers as to what data they measure from end-users. Also earlier this week, the Dutch financial newspaper “Het Financieele Dagblad” published an item about The Internet of Things and privacy issues & concerns. And last Saturday, the Dutch newspaper NRC Handelsblad published a huge item about one’s ‘digital me’, as in your digital shadow as profiled by online players like Facebook. And I’m pretty sure, most of you still remember ING’s plans to resell the (bank) data of their customers and in particular you will remember how the public reacted to these plans. And last but least: today the governmental plans for SyRI (System Risk Indication) caused some panic, since this system is meant to enable governmental institutions to detect fraud easier by using, amongst others, data mining and profiling.
So this brings me to the title of this blog, or better, the question: is Big Data a big deal from a privacy perspective, or is it not? My answer to this question is: no, it is not a big deal or, at least, it does not have to be a big deal. The good news is that EU privacy laws as such, do not prevent or forbid one to use (or in legal terms: process) Big Data. Hence, it is possible to process Big Data, as long as one is aware of the privacy issues and deal with these properly.
Moreover, I even dare to say that “consent” is certainly not always required in order to process Big Data, as some people apparently think, but that such is allowed because you can rely upon a legitimate interest. Generally speaking, one could say that analyzing general trends based upon Big Data falls under the ground of a legitimate interest, but for analyzing individual persons consent will be required.
The most important points of attention, when dealing with Big Data are the following. First of all, are personal data involved? (Most of the times ‘yes’ by the way!) Secondly, the ‘Big Data processing’ may be incompatible with the purpose(s) for which the personal data originally have been collected. The latter relates also to the ground for processing personal data
In de applicable privacy laws, personal data has been defined as any information relating to an identified or identifiable natural person. What often is overseen in Big Data projects is the following. For as long as a person is still identifiable (by using all available means), such information remains personal data. And thus privacy compliance remains applicable. Hence, it is my experience that the conclusion that no personal data is involved (anymore) is drawn too easily. For instance, by arguing that the data have been aggregated. A good example in this respect is Equens. When launching its Big Data plans, Equens argued that personal data had been aggregated up to postal code level, and thus should not be considered personal data anymore. That was a wrong assumption. Not to mention, by the way, that aggregating or anonymizing personal data is a form of processing which as such falls within the scope of the privacy laws…….
The second point of attention is that the ‘Big Data processing’ may be incompatible with the purpose(s) for which the personal data originally have been collected. Also known as secondary processing. So it is important to check whether the Big Data purpose still sufficiently matches the original purpose(s) for processing personal data. If not, the Big Data processing in principle requires (additional) consent from the data subject.
And my final advise: be transparent. Please be transparent. The Dutch Data Protection Authority (in Dutch: College Bescherming Persoonsgevens) especially focuses on the issue of transparency. So communicate and be open about what you do or plan with regard to a Big Data project. I guarantee you: it will be ‘bigger’ fun being transparent about it.