Having remained fairly static for about 20 years, data protection laws in Europe are on the cusp of their next major overhaul. Two of the key drivers are to encourage public trust in entities that hold and use personal data, as well as to bring outdated data protection laws in line with fast paced technological developments. All very positive sounding, so far but why now and what's in the detail…
Why the change?
"Rapid technological developments and globalisation have brought new challenges for the protection of personal data. The scale of data sharing and collection has increased spectacularly. Technology allows both private companies and public authorities to make use of personal data on an unprecedented scale in order to pursue their activities. Individuals increasingly make personal information available publicly and globally. Technology has transformed both the economy and social life, and requires improved legal safeguards which will facilitate the free flow of data within the Union and the transfer to third countries and international organisations, ensuring a high level of the protection of personal data."
Recital 5, 17-12-2014 European Parliament Draft Report on the General Data Protection Regulation
In a communication of the European Commission at the start of July 2014, it was acknowledged that big data will play a pivotal role in the growth of the ICT sector in Europe, that it 'holds enormous potential' and Europe simply cannot afford to miss out.
"Big data technology and services are expected to grow worldwide to USD 16.9 billion in 2015 at a compound annual growth rate of 40% - about seven times that of the information and communications technology (ICT) market overall. A recent study predicts that in the UK alone, the number of specialist big data staff working in larger firms will increase by more than 240% over the next five years."
European Commission communication "Towards a thriving data-driven economy", Brussels 2.7.2014
Also very positive sounding, but then you need to read the small print of the proposed Regulation (the elephant) under which regime this 'big data age' is supposed to flourish...
Although the European Commission acknowledges the difficulties posed by the current complex and restrictive legal environment, the Regulation (in its current form, which is the European Parliament approved version of March 2014) adds further layers of complexity and restriction, particularly when it comes to 'big data' analytics.
In short, for many entities (particularly non-public sector), the stark reality will be that any analytics involving personal data will either not be permitted at all, or will need to be on an anonymised, or failing that, pseudonymised data use basis. If the profiling of personal data is permitted, then it is likely that consent will be needed (even if used in a pseudonymised form).
The Regulation does envisage specific other laws being enacted which permit certain processing of personal data for research projects of significant national importance (without consent) - although, as yet we do not know what this will cover and when it might come into force (if at all).
"The complexity of the current legal environment together with the insufficient access to large datasets and enabling infrastructure create entry barriers to SMEs and stifle innovation."
European Commission communication "Towards a thriving data-driven economy", Brussels 2.7.2014
Profiling and analytics under the proposed Regulation
The current regime
The Data Protection Directive currently in place in Europe has been implemented by national legislation into the laws of EEA member countries. In the UK, the implementing Act is the Data Protection Act 1998 (DPA). Any processing of personal data by a UK-based data controller (or by a data controller processing personal data on equipment in the UK), must be carried out in accordance with the DPA.
To comply with the DPA, data controllers (subject to certain exemptions) must notify their processing of personal data to the UK's data protection regulator (the Information Commissioner's Office) and comply with eight data protection principles (see below).
Similar requirements will apply in other EEA countries, although often it is not an exact match from country to country. As identified by the European Commission, national implementation of the Directive has led to national differences in implementation and interpretation. For this reason, a Regulation has been proposed this time around - which will have 'direct effect' and not need to be implemented into the national laws of each EEA country.
Personal data must:
- Be processed fairly and lawfully
- Be obtained for one or more specified and lawful purposes and may not be processed incompatibly with those purposes
- Be adequate, relevant and not excessive in relation to the purposes for which the data is processed
- Be accurate and kept up-to-date
- Not be kept for longer than is necessary
- Be processed in accordance with the rights of the data subjects
- Be protected by appropriate technical and organisational measures against unauthorised or unlawful processing of personal data as well as against accidental loss, destruction of or damage to that data
- Not be transferred outside of the EEA unless the recipient provides an adequate level of protection in line with the EU Data Protection Directive.
Whether processing 'big data' or 'small data' the data protection principles apply equally. This presents challenges for data protection compliance on a 'large scale' - but it is not impossible.
The new regime
The proposed Regulation, while recognising the need for change in data protection laws to keep up with technological changes, will present even greater hurdles to big data use involving personal data.
As the European Parliament puts it in its explanatory notes to their proposed changes, a 'general ban' on profiling is imposed. Not only that, but a breach of the Regulation could end up costing you up to 5% of your global annual turnover (if the European Parliament gets its way).
Another major change is that, for the first time, data processors will be specifically caught by many of the Regulation obligations, as will organisations outside of the EEA that are targeting goods or services into the EEA or profiling EEA-based individuals.
Additionally, the European Parliament's draft of the Regulation also requires 'producers' (essentially IT providers) to ensure that their solutions allow their customers to comply with data protection laws.
This means that IT providers (including creators of software and systems for big data use, analysis etc) and organisations who may never come into contact with the personal data of their customers, must ensure their tools and systems enable data protection compliance. In essence, the tools for analysing data must be designed from the ground up and keep compliance at their heart.
The draft Regulation strongly promotes not using personal data at all. If anonymised data is used (in the form of truly anonymised data which cannot be de-anonymised without disproportionate time, expense and effort) the Regulation will not apply. The flip side of the coin is that if data is not anonymised (including if merely pseudonymised) any 'profiling' will be subject to restrictions and requirements which exceed even current data protection laws.
'Profiling' is widely defined under the proposed Regulation (introduced by the European Parliament in their draft approved in March 2014), and could potentially 'catch' many instances of 'big personal data' use.
"'Profiling' means any form of automated processing of personal data intended to evaluate certain personal aspects relating to a natural person or to analyse or predict in particular that natural person's performance at work, economic situation, location, health, personal preferences, reliability or behaviour"
17-12-2014 European Parliament Draft Report on the General Data Protection Regulation
While protecting the rights of individuals and their personal data is of great importance, the proposed changes could stifle innovation and business which otherwise might ultimately have led to significant improvements in the lives of individuals - an obvious example being health data analysis to help solve health issues.
'Big data' users should particularly take note of the following:
Profiling will require statutory basis or consent
Under the proposed Regulation, businesses will need either a statutory basis (i.e. laws specifically permitting it) or consent to carry out profiling. This change will make it significantly harder to make use of personal data in a big data context.
Currently, if personal data is not sensitive personal data, its use is often permitted if it is for a legitimate purpose pursued by the data controller, or by the third-party or parties to whom the data is disclosed (and the data subject's legitimate interests do not outweigh the data controller's or third party's). In which case, no consent is needed.
Under the Regulation for many organisations, particularly non-public sector, in most cases consent will be needed for any large scale personal data analytics - regardless of whether the personal data is sensitive personal data or not.
Certain profiling will be prohibited (no matter what)
Profiling is prohibited (irrespective of whether consent can be, or has been, obtained) if it:
- Results in discrimination against an individual on the basis of race, ethnic original, political opinions, religion or beliefs, trade union membership, sexual orientation or gender identity (or if the profiling results in measures that have such an effect).
- Identifies or singles out children.
- Is automated and will result in measures which have a legal effect on a data subject or significantly affects the data subject; in addition, in this context where the profiling is of a person's economic situation, location, health, personal preferences, reliability or behaviour, a privacy impact assessment will first need to be carried out.
Consent to profiling will need to be 'informed consent'
Individuals will need to be given extensive privacy notices, including specific information relating to profiling. Although obligations already exist under existing data protection laws which mean that (subject to certain exemptions), individuals should be informed of who is processing what personal data of theirs and why; information to be provided under the Regulation will be more extensive.
It will include specifics around data profiling activities such as: the existence of the profiling, measures based on profiling, envisaged consequences of profiling and of measures based on profiling as well as how to object to the profiling.
You will also need to be able to prove you actually received the consent in the first place (i.e. an audit trail is needed). Consent must be true consent - the individual must have a genuine choice as to whether to give consent and be able to withdraw consent without detriment. An exception to this right to withdraw consent would be where the information needs to be retained for historical, statistical and scientific research.
Historical, statistical or scientific research information should be anonymised (or if not possible pseudonymised and the key kept separate)
Personal data used for historical, statistical or scientific research purposes (including health data), will be considered 'lawful' (and is specifically listed as a permitted condition for processing). However, personal data can only be used if it is not possible to achieve the requisite purpose by use of anonymised information.
If personal data is needed, then it should be pseudonmised and the key (to turnthat data back to identifiable date) should be kept separate from other information. Restrictions will also apply to the publication of historical, statistical or scientific research data which discloses personal data.
The Regulation envisages specific laws (in addition to the Regulation) which allow for exceptions to the requirement to get consent for research if it serves 'exceptionally high public interests' and the research simply cannot be carried out using anonymous data. At present it is not clear what these 'derogating' laws will say, nor when they would be enacted.
In any case, the Regulation envisages that data will still need to be pseudonymised to the highest technical standards and all necessary measures taken to prevent re-identification. These projects will also need approval from the relevant regulator (i.e. in the UK, the Information Commissioner's Office).
Particularly stringent rules are attached to the processing of health data on the grounds that "Health data is extremely sensitive and deserves utmost protection" (European Parliament draft Regulation March 2014 explanatory notes).
Any health data (a term which is widely construed in the Regulation) must be on the basis of EEA laws which, according to the Regulation, must provide for suitable and specific measures to safeguard legitimate interests of data subjects. In addition, the processing must be necessary for the specific purposes set out in the Regulation which (in brief) cover health care by health care professionals, public health purposes or other public interest purposes such as social protection.
Health data for research, analysis and historical purposes is not considered as high a priority as health and social care provision purposes and as a general rule, health data (and also children's data) can only be processed for research, statistical and historical purposes with consent.
The Regulation does recognise that it may be necessary to process personal data concerning health without the consent of the individual, if it is in the context of 'public health' such as to protect against serious cross-border threats to health or ensure high standards of quality and safety (such as for medicinal products or medical devices).
Other elephants in the room
Other key changes to keep in mind:
- What constitutes 'personal data' will be widely construed under the Regulation.
- A new 'right to be forgotten' will be introduced - this will give individuals rights to ask for their data to be deleted. There are, however, certain exemptions to this right including where the information is necessary for historical, statistical or scientific research purposes.
- A new right of 'portability' will be introduced - individuals will be entitled to ask for copies of their data which are processed electronically and, if that processing is on the basis of consent or a contract, to ask for the data to be transmitted to another automated processing system. Although the right to ask for copies of personal data has been around for years under existing data protection laws, the most concerning change is the ability to ask for data to be 'ported' to a new system. Systems and data formats (which may be legally specified at a later date) will need to be compatible.
- A new requirement to conduct privacy impact assessments will be introduced - in particular where specific risks to the rights and freedoms of data subjects are involved. The proposed Regulation calls out certain areas which will be considered a specific risk and for which a privacy impact assessment will be needed, e.g. involving health data and children's data.
- A mandatory obligation to have a data protection officer will be introduced (the officer will have prescribed tenure and tasks under the Regulation) if systematic monitoring or profiling of individuals is carried out.
Quick checklist for big data analytics under the proposed new Regulation
- Does the personal data fall within categories which cannot be profiled (e.g. is it children's data or does it cause a discriminatory result or the processing is automated and has a legal or significant impact on an individual)? If yes, do not process the data.
- Can the personal data be anonymised? If yes, then do so!
- If not, can the data be pseudonymised? If yes, keep the key to identifying individuals separate.
- Whether pseudonymised or not, obtain fully informed consent unless an exception to the requirement to get consent applies.
- If an exception to the requirement to obtain consent applies (e.g. other laws specifically permit processing without consent) check what requirements and safeguards apply under that permitting legislation.