Checklist: 23 Questions on

Transcription

1 Checklist: 23 Questions on Big Data And Law 1

2 TABLE OF CONTENTS 02 Table of contents 04 foreword What is Big Data? Which different types of data exist in marketing, for example? which legal regulations are relevant? which data collections or analyses require consent? Is data personal data, if conclusions can be drawn about an individual from a chain of data? Is there a tie-up between data for a specific purpose or can the collected databe generally used and analysed? Can I merge all data? Can I particularly add/synchronise external data and can i merge data sets, if I believe that they come from one and the same customer? Can I use insights from the analysis for customer profiling? Can I carry out all types of analysis? When do I need an opt-in for data storage and data analysis and what must be included in the opt-in to process data? 18 stefan Von Lieven On BIG DATA Which data from a contractual relationship can I use for analysis or customer profiling? how do I handle automated decisions from the analysis? are there particular regulations when handling behavioural probabilities? Does the country where I store or analyse the data play a role? Can a customer object to data storage? Is the pseudonymous/anonymous processing of data volumes permitted for marketing research purposes? Do I need to allow a person to object to data analysis (profiling) of his personal data? 2

3 26 18 Can I determine categories for a target group Based on personal data (clustering)? Can I merge the data collection and analysis in a black box without consent? Do I need to allow an individual access to his personal data? How fast and how extensively do I need to allow the deletion of personal data and/or how long can I store this data? Which technical and organisational measures do I need to take in order to protect data (including from internal departments)? Which requirements on Big Data result from the current version of the European Data Protection Regulation? 32 Contact 3

4 FOREWORD Big Data is currently a hot topic. In the digital economy, Big Data has become an essential value-adding factor which can hardly be ignored by a company. However, the collection and processing of large data amounts is subject to a number of legal regulations, especially in a commercial environment. The following checklist will help you to avoid legal pitfalls when handling Big Data. Big Data is a topic companies can hardly avoid nowadays, especially in the digital economy. At the same time, the sensibility for data protection is increasing in the media, the public, with legislators and decision-makers in companies. Our experience based on our consulting practice shows that data protection has now become a key topic at the level of management and board. The reason is that the correct use of Big Data has become an essential competitive advantage and secondly, that legal security and data protection are indispensable in the Big Data environment. Most companies in the market generally have a very good understanding of data security. New developments, such as Big Data, however, can lead to uncertainty. Which data collections or analysis require consent? Is there a bond between data collected for a a specific purpose? How do we deal with automated decisions from the data analysis? These and other questions will be answered in our checklist. Dr. Fabian Niemann (Bird & Bird) Fabian.Niemann@twobirds.com 4

5 01 What is Big Data? The number of data-producing applications and terminal devices is constantly increasing while at the same time, the cost of storing and processing large data amounts is decreasing. This leads to a continuous increase of the amount of collected data, especially in companies, but also public authorities, in research and other institutions. This phenomenon is currently being discussed under the keyword Big Data. According to a survey by IBM, managers sum Big Data up with terms, such as large range of information, new types of data analysis, real-time information, modern media types, data influx, large data volumes or data from social media. The definition by the Research Services of the German Bundestag is as follows: Big Data refers to large data volumes from manifold sources, which can be captured, distributed, stored, searched, analysed and visualised by means of newly developed methods and technologies. Big Data is no longer only a topic of information technology. Data collection and processing is not an end in itself. It is more and more the foundation to generate information from which we can retrieve knowledge to meet company goals in our everyday work life. However, it is also being applied in other areas of life (e.g. medicine or cars) and is constantly changing our world. Regarding the achievement of economic goals, Big Data must primarily be targetoriented. In particular in marketing, Big Data stands for understanding and therefore opens up new potentials, which have a direct effect on the turnover. 5

6 02 Which different types of data exist in marketing, for example? Data does not equal data. Especially in marketing, this is not only about collecting any data but collecting the right data, which can then be used appropriately. Marketingrelevant types of data include: Usage/response data in digital channels (e.g. , social media, website): opens, clicks, conversions, social shares, visited websites, etc. Technical data: IP address, browser, terminal devices, client, installed plug-ins, etc. Transaction data from online shops: purchased items, generated turnover, last purchase, return rate, purchase frequency, price sensibility, etc. Location-based data: Fixed location (identified via IP address), mobile location (identified, e.g. via GPS or Bluetooth) etc. Socio-demographic data: Age, gender, city of residence, marital status, profession, etc. 6

7 03 Which legal regulations are relevant? The general law applies to Big Data. There are no special legal regulations within German law. For the storage and commercial use of Big Data, the Copyright and Data Protection Act are of particular importance. Furthermore the Telemedia Act and the general civil law (namely the German Civil Code - BGB) are relevant. These laws regulate in particular who the data belongs to and to what extent companies can make use of it. The Copyright Law applies when audio, video and image files or larger texts are to be processed or transmitted, i.e. works which are subject to copyright. In this case, the use of the corresponding Big Data may only be possible with the explicit consent of the right holder (see question 4). Individual information/data (and with it a large proportion of Big Data), however, is excluded from the copyright law and is therefore not subject to the copyright limitations. However, collections of data can be protected by copyright or as a database. When a complete data collection or database (or substantial parts of it) are imported, the abovementioned copyright limitations will apply after all. When collecting, storing, processing, using and transferring data, you must also comply with the regulations of the German Federal Data Protection Act (BDSG). The conception of Big Data to collect and use as much data as possible creates a natural tension with the existing principles of the German Data Protection Act which operates on the principle of data minimisation. This means that only personal data which is required for the specific process is to be collected and processed and, generally, personal data is to be stored and used as little as possible. When possible, data should always be anonymised. The data protection law is generally obsolete and not suitable for current technical and technological developments, such as Big Data or Cloud Computing, and we must fear that possible adaptations, e.g. in the context of the planned EU General Data Protection Regulation, will not facilitate the use through the business). The currently applicable law therefore needs to be interpreted in the light of technological and social developments and we need to find a compromise between (rigid) data protection and the reality of Big Data applications. Furthermore, the data protection provisions of the German Telemedia Act (TMA), which apply to suppliers of products or services through a website, may also become relevant. And last but not least, the German Civil Code may play a role, particularly the regulations on material property, as this property can also consist of data and data carriers. Example: When the automotive or insurance industry accesses incar data in the field of telematics (a black box), the question is whether or not this is an intervention in the property of the vehicle owner and requires his consent. 7

8 04 Which data collections or analyses require consent? The copyright law (where relevant), data protection law and civil law apply here. According to the copyright law, any usage of copyrightprotected works which is of relevance under copyright law (in particular the storage of data and its making available to the public) (see question 3) is basically only permitted with the explicit consent of the holder of the exploitation rights to these works. Without such consent, the relevant usage is only permitted to a very limited extent and within the limiting provisions of copyright law, especially under certain circumstances for scientific or private use. The commercial use of copyright-protected Big Data will, on the other hand, regularly require the consent of the right holder. It is important that information/data per se is not covered by copyright (unless essential parts are acquired from databases or collections) and, therefore, copyright restrictions do not apply. However, as far as purely anonymous data is not used but, instead, data which can be assigned (in part) to individuals (as is generally the case with Big Data), the data protection legislation is to be observed in each case. German data protection law is based on the fundamental concept that it is prohibited to collect and use data. Exceptions to this prohibition include certain statutory permission provisions or the consent of the person concerned (justification under data protection legislation). The requirements differ according to whether the data is general personal data or so-called location data or traffic data. The collection and processing of general personal data, i.e. particulars regarding personal and material circumstances of an identified or identifiable individual (name, address, address, marital status, occupation, ID number, insurance number and telephone number) require the prior consent of the person concerned, unless this is legally permitted under the Federal Data Protection Act (BDSG). General personal data is, initially, in particular contract data, i.e. data which is necessary for the establishment, contents or alteration of a contract between the service provider and the person concerned regarding the use of telecommunications services (e.g. name, age and address of the person concerned). General personal data is also usage data which is initially required to allow telemedia to be used and which is required for billing for these services (characteristics for identifying the person concerned, information regarding the start and end and the extent of the respective use and information regarding the telemedia used by the person concerned). Inasmuch as such data is stored and used outside the actual purpose of the contract, as part of Big Data analyses and applications, consent is required for this from all of the individuals whose data is concerned. This does not apply however when the use of this data is covered by statutory permission. Normally, only the so-called balancing of interests in pursuance of Section 28 (1) (2) of 8

9 the Federal Data Protection Act is considered in this case. According to this, the use is permitted if the legitimate interests of the user in using the data outweigh those of the person concerned. However, a strict standard, which can frequently be fulfilled within the framework of use for research, medical purposes or similar, does not regularly apply in the case of purely commercial use. Anyone wanting to play it safe either requires consent or must make the data anonymous. In any case, it is always necessary to examine the individual case; as is mostly the case, general answers are out of the question when it comes to data protection laws. of an end-user of a publicly available telecommunications service, may also only be collected and processed with the consent of the person concerned and only to the extent necessary for the operation of the service. As usual, processing of this data is possible without consent, if the data has been anonymised. Traffic data, i.e. data which is collected, processed or used during the provision of a telecommunications service the telecommunications service used, the number or identification of the participating terminals (the caller and receiver of the call), personal authorisation identifiers, the card number (if using customer cards), any location data (in the case of mobile phones) as well as the start and end of the relevant call (date and time) may only be collected with the consent of the person concerned. The processing of this data for marketing purposes also requires the consent of the subscriber concerned. In addition, the data of the receiver of the call (the other party who cannot, in practice, give his/her consent) must be immediately made anonymous. Location data, i.e. data which is collected or used in a telecommunications network or by a telecommunications service and which indicates the location of the terminal 9

10 05 Is data personal data, if conclusions can be drawn about an individual from a chain of data? The data obtained from a person does not necessarily lead directly to conclusions being drawn about their identity. It depends on the individual case. The applicable standard is disputed. In particular, it is debatable whether an anonymous item of data per se, such as the IP address of the owner of a website, can be an item of personal data, if a third party (in the case of IP addresses: the Internet Service Provider) can assign this. The German and European regulations are inconclusive in this respect. Basically, three different approaches are represented in legal literature, by the data protection authorities and by the courts. The approach adopted by most data protection authorities is very simplistic and (too) restrictive. They assume that it is sufficient, if it is theoretically possible, in objective terms (so-called objective data term ), to identify a specific person from a single item of data, even if the person or company using it requires information from third parties. This is true regardless of whether or not it is likely that such collaboration ever takes place. This may be relevant in the case of Big Data applications which allocate IP addresses to profiles or otherwise use these. According to this view, a person can, in addition to IP addresses, also be identified based on the following data: browser fingerprints, mobile radio data, vehicle data (vehicle number, licence plate, etc.), devices fitted with an RFID-chip and pseudonyms. According to the liberal opposing view, when dealing with the question of personal data, we only need to consider the extent to which the specific data-processing agency is able to identify a specific individual ( subjective data term ). External information is not relevant according to this view. According to this view, in particular the IP address is not personal data (except for the internet service provider in the case of individual connections), as it is merely a series of numbers which will not enable a person to be identified, even in connection with the detail that a specific website is accessed at a specific point in time. Our view is that both sides are too general and unilateral. A mediatory solution would better serve the interests. Firstly, we need to identify, from the point of view of the respective data processor, whether or not the data is personal. Third-party data may be relevant here, too, if it is obvious that this party has access to the data and is able to use it to identify a specific individual. (Only) if this is the case should the data be classed as personal and, as a result, the data protection requirements (including consent oftentimes, see question 4) must be met. In the case of Big Data, this means that when in doubt personal data is involved, as generally there is a mixture of several data types. A personal reference can be excluded if the data had already been anonymised prior to processing (see question 8). Anonymisation in our view, however, does not refer to the strict concept of most data protection authorities, but to our mediatory view presented here. If you do not wish to incur any risks, you should use the stricter benchmark as a basis. 10

11 06 Is there a tie-up between data for a specific purpose? or can the collected data be generally used and analysed? The principle that data is only to be used for a specific purpose applies in data protection law, i.e. data can only be processed for the specific purpose for which it was collected. During the collection of data, the person concerned is to be informed of the purpose for this collection, processing and use of data. If the data is used to fulfil your own business purposes, i.e. in connection with the handling of contracts or the management of customer contacts, a subsequent change of purpose is permitted. Changing the purpose is permitted, if a legitimate interest of the processing authority, a third party or the public exists. However, a general retaining of data cannot be considered according to the above-mentioned principles of change of purpose. The data processing authority is still obliged to specify a certain purpose for the retaining of data. This does not apply when the data is exclusively anonymous data. For Big Data, this means that when in doubt a new data protection justification must be found prior to processing the data (see questions 4, 9, 17). This results from the fact that all data contained in the data pool may have been collected for a different purpose than the purpose for the processing of this data. 11

12 07 Can I merge all data? Can I particularly add/synchronise external data and can I merge data sets, if I believe that they come from one and the same customer? Data on customers is generated in different places and for different purposes. In connection with Big Data there is, in fact, a difference between whether a data pool whose data is to be analysed already exists, or whether it needs to be created first. If the data pool does not contain only anonymous data, you must enquire separately, for each individual case, whether a data protection justification for the use as well as a data protection justification for the possible upstream merging of data exists. You must particularly bear in mind the following points: Generally, the principles of purpose and data separation applies, i.e. the data can only be processed for the purpose for which it was collected. Therefore, different data sets generally need to be managed independently. The merging of data is only permitted, if a separate data protection legitimation (either consent or legal justification, see question 4) exists. Commercial use, e.g. using data from a shop purchase profile in a newsletter, is generally only permitted after the recipient has given his consent (see question 4). The same applies to the enrichment of external data, e.g. updating postal addresses or credit history information, as well as to the enrichment of addresses via the social networks used, as long as this information is not generally available. However, the merging of data saved in list form with information, which is freely available in the internet, is still permitted without consent for the purpose of promoting the services of the online shop provider as a responsible authority under data protection laws. The consent does not need to be obtained separately, but can be part of the data use agreement within the context of the newsletter subscription or the shop registration process, as long as the purpose of this consent is clear and comprehensible. When the person concerned, e.g. during registration in a shop, accepts the data use agreement, he also authorises the provider to merge his data. 12

13 08 Can I use insights from the analysis for customer profiling? When creating user profiles, we generally need to establish whether or not we are dealing with personal data (see question 5) and whether or not the person concerned has given his consent: The use of non-personal data without the individual s consent is admissible when the data has been made anonymous. According to the requirements of the Federal Data Protection Act, anonymised data exists when the corresponding individual details can no longer be assigned to a specific person or this would involve a disproportionate effort. When individual details cannot be assigned to the person concerned (so-called real anonymisation ), this data may be used without limitation for web analyses and can also be transmitted to third parties (for more details on the requirements of anonymisation see question 5). Since the identification of the person concerned is ruled out here, consent from the individual is not required for user profiling. Without the consent of the person concerned, personal data can only be used for the creation of usage profiles in compliance with the Telemedia Act when the data is pseudonymised. Data is pseudonymised, if the name or another identifier is replaced by a substitute, so that the identification of the person is either impossible or at least rendered considerably more difficult. Linking the pseudonymised usage profiles with the bearer of the pseudonym is generally prohibited. Furthermore, the person concerned must be informed about the profile creation and his right to object ( opt-out ). If the party concerned exercises his right to object, the creation of such usage profiles is not permitted. When creating the profile, all usage data (with the exception of the contract data) may be used. The possibility of creating a profile is limited, as it is only permitted for the purposes of advertising, market research or tailor-made design of the telemedia. Profiling for other purposes is not allowed without the individual s consent. However, when personal behaviour-related data is collected, explicit and separate consent is required. Personal behaviour-related data is data which links the usage data to a specific address, e.g. click data, conversions or activities on a linked page. It is also important to collect and process data according to the type of consent. Behaviour-related data, such as the last click, cannot be captured or processed, if the person concerned has not given his consent. User profiles can generally be created independently of the above-mentioned preconditions as long as the person concerned has given his effective consent (i.e. voluntarily and based on a comprehensible and specific consent form, see question 10). 13

14 The principle of data minimisation and data avoidance must be kept in mind, i.e. only collect the amount of behaviour-related data which is absolutely necessary. In the case of Big Data, the above means that the data contained in the pool is to be checked individually for what type it is and whether a relevant data protection justification exists for each type of data. There is no general answer. 14

15 09 Can I carry out all types of analysis? The general law applies to Big Data. Therefore, not all types of analysis of the data contained in the data pool can be carried out. Which type of analysis is allowed depends on the type of data in the data pool (see question 4). Usually, we are (also) dealing with personal data and a data protection justification (see questions 4, 5) will be required for processing. The following examples serve as a guide: If you analyse behaviour data such as conversion rate, number of visitors on a website, click rate, clicking order, search terms by means of web analysis tools such as Google Analytics or Piwik, this will be permitted as long as the person concerned has been informed about the data collection and analysis and his right to object at the beginning of the process, i.e. when the website opens and before any of his data can be saved. If the person concerned objects to the use of his data or the setting of the required cookies, his data cannot be used. However, when cookies are only used for the purpose of enabling the website visit (e.g. session cookies), the person concerned does not need to be informed about this and has no right to object. Generally, only those data evaluations which assist advertising and market research as well as the needs-oriented design of the website may be carried out during web analysis. When social media plug-ins are embedded in your own website (e.g. facebook like button), data will be transmitted to social media independently whether or not the person concerned activates this button. This also applies to individuals who are not currently logged in to the platform or those who are not even registered with the service. The legal classification of these buttons is highly disputed. Since the IP address has been collected and stored here so that the person concerned can be recognised when he revisits the page and the data is also transmitted to the social networks, it is recommended that you obtain the person s consent, if you agree with the conservative view (and most data protection authorities, see question 5) of treating the IP address as personal data. One option would be the so-called 2-click solution. The first click on the buttons activates these. Prior to this, no data transfer takes place. Activation is equivalent to the consent of the person concerned. With a second click, the person concerned can then use the function behind the button. In so far as it is necessary for the utilisation of a website to involve geo-localising (e.g. with services which supply offers linked to locations, e.g. where is the nearest cinema? ) or to re-identify the person concerned, this is permitted within the framework of such services, as long as there is an overriding reason to link the data with the person concerned in order to provide the service. However, this is not permitted for the creation of a profile for marketing purposes. Whether there is an overriding reason or not is usually assessed by the specific case, i.e. the type of service. Apart from the terminal device detection and geo-localisation which may be permitted without consent, services such as social activity detection or advanced fingerprinting are other services which are only permitted with the consent of the person concerned. This consent is particularly required when user profiles are created through a third-party company. 15

16 10 When do I need an opt-in for data storage and data analysis? what must be included in the opt-in to process data? Generally, the consent of an individual to collect and further use his data is not always necessary. Data collection and usage may also be permitted where there is a legal justification (see question 4). However, it can be dispensed with in the case of purely anonymous usage (see question 5). If consent from the person concerned is required, this must be voluntary and transparent for the person concerned and explicitly given. The consent must be voluntary, i.e. given without compulsion. Consent is not voluntary when the person concerned had no other choice, which did not result in serious disadvantages. Consent is not voluntary, for example, when an employer exerts pressure on an employee or when consent is linked to the supply of essential products or services (especially general interest social services such as energy, supplies, bank account), however consent is voluntary in normal business. According to the prevailing and correct view, you as a normal provider can make your services dependent on data protection consent. For consent to be legal, a recipient must explicitly agree to data processing. This consent cannot be part of preformulated contractual conditions or derived from another context. When the consent has to be explained in writing together with another explanation, it needs to be clearly identified or highlighted. Consent should therefore always be obtained separately and actively, i.e. the required check mark (opt-in) should not be set automatically so that the customer will need to remove it. The customer needs to be informed about the purpose of the data processing, e.g. the collection of location data or analysis of click behaviour for customer-specific special offers. When the data is collected or processed for more than one purpose, you will need to name these different purposes. Within the framework of consent, the customer will also have to be informed about his right to object. This right to object can be problematical in the case of Big Data, as it is possible to object at any time and the data of the person concerned will then have to be removed or at least separated from the data set. For a legally compliant proof of consent, German law only allows for the double opt-in procedure in the context of s. It is argued that this is the only way to ensure that it is actually the person who owns the account who is giving his consent. This procedure prevents a non-authorised person from subscribing a recipient - via a freely accessible form - e.g. to a newsletter. Every consent of a recipient must be carefully logged, so that the sender is able to prove at any time that he has obtained legitimate consent. For a legally compliant consent via double opt-in, the following applies: The recipient will receive a confirmation after his subscription, in which he is asked to re-confirm his consent via a link. 16

17 content. The confirmation must not contain commercial The log must include the type and scope of the consent (i.e. the specific data use agreement which the recipient has given his consent to), as well as the time when the consent was given, the IP address and the collected data. In the case of Big Data, in addition to the above-mentioned risk of objection, the requirement for obtaining consent creates, in particular, the problem that the purpose of data processing might only come into effect at a later point in time or that it is no longer possible to obtain consent for all the data contained in the data pool due to practical reasons. Nevertheless, it is recommended that consent be obtained where possible. 17

18 Successful marketing is now strongly data-driven. The market is changing and customers are expecting a significantly more personal and relevant approach. This is only possible with a valid and substantial database. It is a necessary precondition in order to control and optimise marketing measures in a digital, highly responsive and targeted way. However, Big Data does not only stand for the collection and understanding of data. The actual possibility of using this data for marketing is becoming the important third pillar. This utilisation involves the planing and implementation of data protection aspects. The specific objectives are the legally compliant collection of consent and the processing of data in compliance with data protection: Legal Big Data. Stefan von Lieven (CEO artegic AG) lieven@artegic.de If you miss out on obtaining the relevant consent to personal, data-supported marketing, you may not be able to use your collected data in the future. Legal security in the context of Big Data is therefore becoming a decisive competitive factor. 18

19 11 Which data from a contractual relationship can I use for analysis or customer profiling? The general principles apply to all data collected within the context of a contractual relationship (see questions 3, 4). The existence of a contractual relationship per se does not provide a basis for a justification concerning data protection, copyright or material property. 19

20 12 How do I handle automated decisions from the analysis? When handling the automatic analysis of data, the same principles that apply to other data also apply to Big Data. When data is automatically collected and processed without the necessity of an individual decision by the data processing authority on the individual process, e.g. in the case of the automatic synchronisation of new customer data with existing data, the law places special requirements on the use of the results. Exceptions are particularly important in the case of an automated conclusion of the contract on the internet, i.e. when the person concerned accepts an offer after concluding a contract. Legitimate interests are, in particular, to be protected by subjecting the automated individual decision procedure to a prior check, for example when it is a question of evaluating the personality of the person concerned. Generally, the German Data Protection Act stipulates that decisions, which may entail legal consequences for the person concerned or significantly affect him, may not be based on the automatic analysis of personal data. This principle reflects the issue that the automated analysis of data is based on the recognition of certain patterns and is probably not able to detect special individual cases. This is the case, in particular, with scoring procedures which evaluate the creditworthiness of a person based on mathematicalstatistical procedures. The Federal Data Protection Act (BDSG) also grants the person concerned a right to information regarding the logical structure of the automated data processing. In addition, the German Telemedia Act (TMG) includes a requirement for the data processing agency to inform the person concerned, if data processing is carried out by means of automated procedures. In exceptional cases, automated decisions may be used when the decision is to be made within the framework of a contractual or other legal relationship and is in favour of the person concerned or when the safeguarding of the individual s interests is otherwise guaranteed. 20

21 13 Are there particular regulations when handling behavioural probabilities? If specific probabilities play a role in processing Big Data, no particularities apply here. Instead, the general regulations of the German Federal Data Protection Act on handling probabilities must be observed. We can distinguish between a number of different scenarios as follows: If the analysis merely involves handling anonymous data, e.g. for the purpose of counting visitors on a website or similar, no specific data protection requirements apply However, when the personal data is analysed in such a way that a probability value for a specific future behaviour is established (scoring), the law provides for the following requirements: the calculation shall be carried out through a scientifically recognised mathematical-statistical procedure; You must take into account the fact that the data to create this probability value needs to be collected and stored in a legally compliant way in the first place (including consent of the person concerned, see question 4) These requirements do not apply e.g. to customer-specific advertising based on previous purchase behaviour ( behavioural advertising ). There is an option to have a third party, e.g. a credit agency (SCHUFA), carry out the probability calculations. However, if you transmit your own data to this credit agency you must bear in mind that the customer needs to give his consent. only data which is suitable for the calculation of the behaviour may be processed; probabilities may not be identified, e.g. merely based on address data or skin colour; If address data is used, the person concerned is to be informed about the use of the data prior to processing and this information is to be logged; the determination of probabilities must serve the purpose of reaching a decision on the establishment, execution or termination of a contractual relationship. 21

22 14 Does the country where I store or analyse the data play a role? The country where the data is processed does play a role in terms of data protection, copyright and material property. The territorial principle applies in data protection as well as copyright law, i.e. the law of the country where the relevant handling (storage or other relevant usage, see question 3) takes place applies. Accordingly, German copyright and, generally, also German data protection law (exception below) is always to be observed when the data is stored or used in Germany. In addition, the German data protection law applies, when data is captured by providers in Germany or collected from Germany by means of technical tools. Finally, German material property law applies when the data comes from black boxes or other data carriers which are the property of the person concerned. An exception to the territorial law applies in data protection law when a company based in the European Economic Area (EEA) collects, processes or uses data in another EEA state. In this case, the country of origin principle applies (only in the data protection context). The background to this is the sufficient harmonisation of the Data Protection Law in the EU/EEA from the viewpoint of the EU Data Protection Directive (adopted by the EEA states), which sees it as sufficiently adequate when a provider adheres to his local law. Finally, for data collection and processing outside of the EEA, stricter data protection requirements apply when the data is not exported from the EEA by the person concerned but by third parties (e.g. in the case of data merging of EEA data into a US data pool or remote access to EEA data pools by agencies outside the EEA). The transfer to non-eea agencies of data collected within the EEA or the access to this data through non-eea agencies is only permitted, if the additional requirements according to the EU Data Protection Directive are met. In the context of Big Data, the EU standard contractual clauses as well as the Safe Harbour Principles are relevant. The former are preformulated contractual clauses endorsed by the EU, which are to be concluded between the data exporter based in the EU and the data importer based outside the EEA, and state that the importer principally undertakes to comply with the European Data Protection Directive regarding the exported data, including (as a contract for the benefit of a third party) the right of the person concerned to proceed against the importer in the case of violations. The latter is a self-commitment which based on a bilateral agreement between the USA and EU and under the supervision of the US Federal Trade Commission only allows American companies (with the exception of some industries such as telecommunications and banks, for which the FTC is not responsible) to subject themselves to the EU Data Protection Directives regarding data obtained from the EU. In addition, the person concerned must be informed prior to the data processing procedure, if data processing is to take place outside the EEA. 22

23 15 Can a customer object to data storage? Regardless of whether or not the data storage takes place within the context of Big Data, the following rules apply regarding the possibility of objecting: When the data storage takes place based on the consent given by the person concerned, this person must be able to object to the storage of his data. Objecting to consent to data storage must not result in a disadvantage for the customer. If we are dealing with data which is necessary to conclude a contractual relationship (see question 11) or which has already been made anonymous (see questions 16, 18), this right to object of the person concerned becomes null and void. 23

24 16 Is the pseudonymous/anonymous processing of data volumes permitted for marketing research purposes? Anonymised as well as pseudonymised data may be used for market research purposes under certain circumstances. The following applies: The processing of anonymous data is generally allowed without consent from the person concerned (see questions 5 and 8). The processing of pseudonymous data is also possible without consent from the person concerned as long as it only involves usage data (i.e. attributes for the identification of the person concerned, details on the start and end as well as coverage of the corresponding usage and details on the telemedia used by the person concerned). However, the person concerned must be informed about the data processing for marketing research purposes and his right to object. Within the context of Big Data you might have to differentiate according to the type of data. 24

25 17 Do I need to allow a person to object to data analysis (profiling) of his personal data? Data analysis can generally only take place with the consent of the person concerned or based on a legal permission. To assess the lawfulness of an objection we must therefore differentiate depending on the legal basis of the data collection and storage: If the data collection and storage is only possible with the consent of the person concerned, then data cannot be processed without this consent. If the collection of data was necessary to enter and fulfil a contract with the person concerned, this permission barely extends to the analysis of data as we cannot assume that the data analysis is necessary for the execution of the contract. If we are dealing with pseudonymised data, the decision regarding objection will need to be made after weighing up the interests. Here, we need to weigh up the interests with respect to the non-collection of data of the person concerned against the interests of the company. The time of the objection or the type of data usage by the data processing agency may play a role here. See also question 16. When collecting or storing data, the person concerned must be informed about the purpose of this collection or storage. The processing of data and the creation of a profile must be specified as a purpose. The person concerned must also be informed about his right to withdraw any previously given consent. 25

26 18 Can I determine categories for a target group based on personal data (clustering)? In clustering, every person is assigned to a specific group based on his behaviour. Legally, this procedure presents a modification of data as the informational content of the data is changed by assigning an individual to a user group. The requirements regarding the modification of data provided by the German Federal Data Protection Act correspond to those regarding the processing of data, i.e. in any case a data protection justification either in the form of the consent of the person concerned or a legal justification must exist. Even when a data protection justification for clustering exists, this does not necessarily cover the required use of the data obtained for customer profiling or for direct marketing. A separate data protection justification is necessary (see checklist on marketing). 26

27 19 Can I merge the data collection and analysis in a black box without consent? The general directives apply to the analysis of black box data: a data protection justification is required, either in the form of a statutory justification or the consent of the person concerned. However, this does not apply when the data is completely anonymised. If, for example, an accident data recorder from a vehicle is to be evaluated, a data protection justification is required. In addition, we face the problem of proprietary allocation of this data, which e.g. in the case of private vehicles will logically follow the rights as the driver, keeper or owner of the vehicle. This results in a consent requirement regarding data processing. 27

28 20 Do I need to allow an individual access to his personal data? Regarding the right to information of the person concerned, Big Data follows the same rules as other data collections and processes. The information on the origin of data may be refused, if it would involve disclosing a trade secret, which overrides the interests of the person concerned in the disclosure. The person concerned generally has a right to information with respect to everyone who collects, stores, processes and transfers his data to third parties. On request the following information must be provided: Access to personal data must be granted on request by the person concerned once a year free of charge. Further access may incur a fee for the customer. The customer must be informed about this. which data regarding him is stored, where this data was collected, to who this data is transferred, for what purpose it was stored. The granting of these comprehensive rights to information and the practical and organisational hurdles related to this can be avoided, if you only store and process anonymous data. 28

29 21 How fast and how extensively do I need to allow the deletion of personal data? and/or how long can I store this data? The requirements of the German Federal Data Protection Act on data depend on the individual case. Generally, data can be stored as long as a data protection justification exists. The time of deletion is linked to the principle of purpose: as soon as the purpose for which the data has been collected has been fulfilled or becomes null and void, the data needs to be deleted. The purpose mostly results from the contractual relationship. Once this relationship has been terminated, the data needs to be permanently deleted. In the case of Big Data this means that, in theory, you need to separately specify for all data if and for how long the data protection justification for storage exists. In practice, however, you will need to use groups as it is not feasible otherwise. Data which has been stored for security purposes may still be stored for an appropriate time, mostly for technical reasons. In this case, you must ensure that this data can only be reconstructed in a security case. Either way, the indefinite storage of personal data is not permitted, regardless of the consent given by the person concerned. 29

30 22 Which technical and organisational measures do I need to take in order to protect data? including from internal departments? The general guidelines of the Federal Data Protection Act regarding the technical and organisational measures also apply to Big Data. Concerning the protection of data, Section 9 of the Data Protection Act requires that when handling data all necessary measures are to be taken to comply with the requirements of the Data Protection Act. In detail, you need to ensure that unauthorised persons have no (spatial) access to data processing installations; unauthorised persons have no access to the processing of the data, i.e. cannot have an effect on the process (this can especially be ensured through encoding) access control is particularly important in the context of Big Data; the individual data of the data pool is to be stored with limited access in such a way that each person authorised for the data pool can only view and process the data for which he is specifically authorised; data is protected against access by unauthorised persons in the case of transfers (this can particularly be ensured through encoding); the input and processing of data can be checked to identify if and by whom these activities have been carried out, in the case of commissioned data processing, proper selection and monitoring of the contractor and his activities takes place; the data is protected against accidental damage (e.g. lightning strike, blackout, flooding, etc.); it is ensured that data which has been collected for different purposes will also be processed separately; employees who come into contact with the data of other persons are obliged to maintain data confidentiality. persons authorised for data processing only have access to the data for which they are authorised (this can particularly be ensured through encoding); 30

31 23 Which requirements on Big Data result from the current version of the European Data Protection Regulation? Currently, it is not absolutely certain if the planned European General Data Protection Regulation will materialise. If the (currently being drafted) General Data Protection Regulation in its current form (modified draft by the European Commission submitted by the European Parliament on ) enters into force, there will be important changes regarding Big Data, including. The General Data Protection Regulation defines more clearly than the current German law when personal data exists (see questions 4 and 5). Identification numbers, locations or online IDs will only be classed as personal data when the data processing agency cannot prove that there is no reference to persons. With respect to an IP address, the rule is that this always constitutes a piece of personal data, if it has not been issued to a company. As for questions regarding the processing of data for the company s own business purposes, the interpretation of the current proposal is that the possibility of a subsequent change of purpose for the data collection (see question 6) is limited by the Regulation. The current draft of the European General Data Protection Regulation specifies that data may only be processed for a purpose other than that for which it was collected, if the person concerned has provided his consent or a contractual basis exists for this. If data is not processed by the company itself, but is passed on to third parties for processing (so-called commissioned data processing ), the client and contractor are jointly responsible for complying with the data protection requirements in pursuance of the European General Data Protection Regulation. According to current German law, only the client shall be liable with respect to the person concerned and shall monitor compliance with data protection law by the contractor. The client s stricter (joint) liability is also a problem within the framework of Big Data, but overall for the use of data for advertising purposes. 31