Privacy and Data Protection (and more) for Big Data Marit Hansen Deputy Privacy and Information Commissioner Schleswig-Holstein, Germany marit.hansen@datenschutzzentrum.de Madrid, 25 February 2015
Setting of ULD Data Protection Authority (DPA) for both the public and private sector Also responsible for freedom of information Source: en.wikipedia.org/ wiki/schleswig-holstein Privacy and Data Protection for Big Data Source: www.maps-for-free.com 2
Overview European Data Protection Principles Examples of big data and potential effects Conclusion Privacy and Data Protection for Big Data 3
European Data Protection Principles For personal data: Lawfulness, e.g. statutory provision or consent Purpose limitation Necessity Transparency Data subject rights Data security Accountability Data Protection by Design? By Default? Privacy and Data Protection for Big Data 4
Data Protection by Design & by Default Data Protection by Design and by Default will be integrated in the upcoming European General Data Protection Regulation (Art. 23) Targeted at: data processors + producers of IT systems Objective: design systems + services from early on, for the full lifecycle a) in a data-minimising way b) with the most data protection-friendly pre-settings Not easy for Big Data if personal data are affected. Privacy and Data Protection for Big Data 5
Guidance from the Art. 29 Data Protection Working Party Documents 1. Opinion 03/2013 on Purpose Limitation (WP203, 2013) 2. Opinion 05/2014 on Anonymisation Techniques (WP216, 2014) 3. Statement [ ] on the impact of the development of big data on the protection of individuals [ ] (WP221, 2014) Take-away messages 1. Specified, explicit and legitimate purpose; functional separation; compatibility check for changed purposes 2. Case-by-case; avoid pitfalls; risks not excluded 3. Data protection law is still valid and must not be ignored. Cf. Carmela s Privacy and Data Protection talk for Big on Dataanonymity 6
Examples Privacy and Data Protection for Big Data 7
Example: Old-fashioned big data: on a legal basis Source: US Census Bureau Privacy and Data Protection for Big Data 8
required by law Census: usually anonymised Process is transparent for citizens No simple opt-out Controlled by Parliament Possible: going to court Misuse will be sanctioned Source: Quinn Dombrowski Privacy and Data Protection for Big Data 9
Example: combining Internet data Personal data processed, profiling algorithm Individual consequences possible Source: Thierry Gregorius Purpose limitation? Transparency? Data subject rights? Privacy and Data Protection for Big Data 10
Consequences for groups of individuals possible: social sorting www.datenschutzzentrum.de Example: anonymised big data sorting people Not necessarily regulated in data protection law Transparency? Data subject rights? Fairness? Privacy and Data Protection for Big Data Source: Neubie 11
Reasons for not contributing to the data: Poor Old Privacyaware www.datenschutzzentrum.de Example: Traffic planning biased data X Effect on decisions? Risk of manipulation? Privacy and Data Protection for Big Data Source: Mehmet Karatay Icons: Axialis Team 12
Big data with personal data Conclusion Within the data protection scope: lawfulness, consent, purpose limitation, data subject rights, Big data without personal data (check again: really no personal data?) Not within the data protection scope But maybe with consequences for individuals & society! Need for transparency & possibilities to intervene Currently lack of understanding and reliable concepts quick & dirty must not prevail & persist! Privacy and Data Protection for Big Data 13
Thank you for your attention! Marit Hansen marit.hansen@datenschutzzentrum.de