At the 5th annual European Data Protection Days event in Berlin on May 4, 2015, two keynote addresses about Big Data are of note. One given by Giovanni Buttarelli, the European Data Protection Supervisor, and the other by FTC Commissioner Julie Brill. Links to the full speeches are provided at the end of this blog.
Buttarelli and Brill both stressed the “need for global bridges to be able to protect the personal data and privacy of the individuals facing borderless technologies, business models and networks that use their data as fuel.” Both have a passion for creating such bridges, but acknowledged it will be a herculean effort to both create and sustain them. The EU-US Safe Harbor is one example of an existing bridge that allows personal data from Europe to be transferred and processed in the US. However, this bridge is currently under considerable criticism, including a legal challenge from the Europeans, evidence of the difficulties for bridging between countries with converging, but different perspectives.
Commissioner Brill’s Remarks on the Internet of Things (IoT)
Brill believes the IoT presents great opportunity, but also some big privacy and data security challenges. She quotes Obama’s top technology advisor Nicole Wong saying, “[t]here is no future in which less data is collected and used”, which is both a fact and a challenge. With individuals increasing their number of devices, more sensitive data will be collected. User interfaces will shrink, limiting understanding by consumers about how data is collected and used, and we will be perpetually connected.
The FTC wrote in their report on the Internet of Things [https://www.ftc.gov/news-events/press-releases/2015/01/ftc-report-internet-things-urges-companies-adopt-best-practices] that we must provide appropriate privacy protections or we run the risk of eroding consumer trust.
Brill goes on to say that preserving this trust isn’t easy. Law enforcement is part of the equation, but so are industry and company best practices. And, better ways for consumers to exercise control are also important. Since big data analytics usually involves data from many different sources, and for new and innovative purposes not considered when it was collected, companies should be accountable for using all this data in a way that is consistent with consumers’ expectations. With the collection of consumer data often occurs well outside their purview, and the complexity of the ecosystem, companies and regulators must be guided by fundamental privacy values as well as a sense of ethics.
Brill reiterated the FTC call for both baseline privacy legislation and data broker legislation. She explains how Section 5 of the FTC Act, which allows the agency to take action against companies that engage in unfair or deceptive data practices, creates a consumer focus that applies to the Internet of Things in two ways. First, when a company tells consumers what data it collects, how it uses this data, and to whom it is disclosed, those representations must be truthful. Second, what a company does not tell consumers may be just as important because omissions of material information can also be deceptive.
Brill believes that data security is possibly the foremost challenge for the IoT. The security of the devices and transmission of data is as important as the security of the data the devices generate.
The second challenge is the collection and use of sensitive data, such as health, location and financial data. Disclosures to many third parties and the ease with which the data can be identified or used to generate additional sensitive inferences are at odds with consumer trust. Health related mobile apps provide a great example.
Brill said the FTC was wrestling with questions about the ability of algorithms to make inferences and predictions about us, which can be sensitive, e.g. race, health or financial status. She calls out the FTC’s data broker report, which pointed out that segmentation can be used for inclusion as well as harm.
Brill said law enforcement based on strong baseline privacy legislation, which she favors, is only one part of protecting privacy and data security, and urges development of industry and company best practices. She urges companies to be creative about providing transparency and control.
Brill also comments on how data analytics is having more influence on the ads that consumers see, the offers they get, and how they are treated. She reminds us that some of these practices are already regulated by laws such as the Fair Credit Reporting act and the Equal Credit Opportunity Act. She urges companies to look closely at how they use data to make decisions to see if these practices are leading them to treat consumers inappropriately based on sensitive characteristics.
Finally she concluded by saying that data scientists, technologists, ethicists, and advocates all have a role to play in influencing decision-making practices.
EDPD – Butarelli’s Remarks
Butarelli points out the U.S. Constitution and the EU Charter of Fundamental Rights both lay out the pillars for bridge building.
Butarelli would like the U.S. to have an “unambiguous and coherent Consumer Privacy Bill of Rights,” not unlike what they have in Europe. He also believes the solutions for Big Data should be based on an ethical approach to developing technology and related business models, include reformed legal rules, encompass technical solutions such as privacy by design, and should have cooperative enforcement across borders.
Butarelli goes on to say, “Perhaps we can agree that the ultimate purpose of the systems of data protection and privacy, irrespective of their territorial origin, is to protect the freedom of the individual to control how his or her personal information is handled and by whom.
Butarelli lists some of the risks that big data poses and suggests that an ethical dimension is unavoidable:
– Challenges to user control and consent
– Complexity of allocating responsibility in big data ecosystems
– Lack of transparency
– Repurposing data or the risk from data used out of context
– Potential for unfair discrimination stemming from biased conclusions
Butarelli believes that individuals should be able to understand how algorithms create correlations and assumptions, and how combined personal information can turn into intrusive predictions about behavior.
Butarelli believes that the reformed EU data protection rules should be applied in a more modern, flexible, creative and innovative way that remain consistent with existing principles, including data minimization and purpose limitation, and complemented by new principles of accountability and privacy by design.
Finally, a breach of EU law can cost the responsible body 10% of annual revenue, showing the importance of respecting fundamental consumer rights.
Both speeches are worth reading in total.
Brill’s Remarks at European Data Protection Days
Buttarelli’s Speech at EDPD