239767 Lunch & Learn: Big Data Analytics 13 April 2015 Sue McLean Alex van der Wolk 2015 Morrison & Foerster (UK) LLP All Rights Reserved mofo.com
Lunch & Learn 2 nd Monday of each month 45 minutes via webinar Unaccredited CPD points Next session: Monday, 11 May 2015 EU Antitrust Law - Recent Highlights and Current Trends Speakers: Tom McQuail and Andreas Gruenwald 2
Today Questions at the end. Or by email afterwards. Phones are muted to reduce background noise We ll unmute at the end 3
Overview 1. Where are we with Big Data and what does it mean for business? 2. Data privacy issues raised by Big Data 3. Other issues raised by Big Data 4. Practice tips 5. Q/A 4
What is Big Data? IBM: 90% of the digital data that exists today created in last 2 yrs Big Data is just data just more of it and we can do more with it! Gartner: 80% of all corporate data is unstructured 5
Big Data Benefits Many potential benefits: better understanding of business & customers help companies forecast help companies make better decisions inform business strategy help tailor products drive productivity, savings and efficiencies improve agility grow existing business create new revenue streams deliver competitive advantage But also challenges 6
Big Data and the EU EU is aware of the economic potential of Big Data EU s Big Data Strategy: accelerated innovation productivity growth increased competitiveness in data across EU and global market with Europe as key player. Joint investment by EU and data industry of EUR 2.5 billion EUR 500 million to come from EU Individual countries are also focusing on big data e.g., UK has ambitions to be world leader (initiatives include creation of 42million Turing Institute for Data Science, 231million investment) 7
The European Framework Data Protection Directive 95/46/EC WP29 Opinion on Purpose Limitation WP29 Opinion on Anonymisation WP29 Opinion on Legitimate Interest Country-Specific Guidance 8
Directive - Basic Principles Personal data may be collected if there is a ground, such as legitimate interest or consent Purpose limitation Personal data must be collected for specific, explicit and legitimate purposes and Not be further processed in a way incompatible with those purposes Personal data must be adequate, relevant and not excessive in relation to the purposes for which collected and/or further processed 9
Article 29 Working Party Statement on impact of Big Data on privacy of individuals (September 2014) Individuals should also benefit from Big Data Current data protection principles (notably the Directive) need to be complied with WP Opinions on Purpose Limitation, Legitimate Interest and Anonymisation apply 10
WP29 Opinion on Legitimate Interest Often overlooked Opinion in context of Big Data WP29: consent is not always suitable and in some cases legitimate interest ground may be better suited "An appropriate assessment of the balance under Article 7(f), often with an opportunity to opt-out of the processing, may in some cases be a valid alternative to inappropriate use of, for instance, the ground of 'consent' or necessary for the performance of a contract" 11
Legitimate Interest Take into account number of factors Interest of data controller Privacy impact of individual Nature of data Status of data controller Nature of relationship with data controller Interest is not only cost but also benefit is otherwise in the public interest, or benefits from social, cultural or legal/regulatory recognition in the community concerned Balancing test is contextual (reasonable expectations of data subject) 12
Legitimate Interest If outcome of balancing test is in favour of individual: apply mitigating measures, e.g. Data minimisation Anonymisation / pseudonymisation (note: Opinion on Anonymisation) Enhanced control (e.g. dashboard) instead of access Transparency for choices made (+ document choices) Functional separation DPIA: "data subject is entitled to have all categories of interests to be taken into account and weighed against those of the controller or third party" (also ethical considerations) If outcome cannot be balanced: consent 13
Purpose Limitation and Secondary Use Specific Explicit Legitimate If dataset was not originally acquired (also) for the purpose of Big Data analytics: question of compatibility Compatibility must be assessed on case-by-case basis New purpose not automatically incompatible 14
ICO Guidance Transparency Big Data is not a game Condition for processing played by different rules Using third party data sets Purpose limitation Anonymisation Minimisation and Retention of Data Security Ethical Approach 15
Looking Ahead - Regulation Draft Regulation will impact use of big data analytics EU politicians voicing stronger opinions Big data needs big rights Profiling Regulation contains definition on Profiling If has legal effects/or significantly affects rights and interests permitted only with explicit consent Some flexibility for processing pseudonymous data but only if identification impossible Human intervention needed for decisions affecting individuals Restrictions on profiling special categories of data (e.g. sensitive data, data of children, etc.) 16
The Creep Factor Just because you can do it, doesn t mean you should! 17
Privacy as differentiator Privacy by design is not zero sum game 18
Not just a privacy issue! For example: Compliance with applicable laws & regulation Intellectual Property Rights Third Party Data Cyber-security Liability Competition 19
Compliance with laws & regulation Industryspecific Consumer Protection Employment 20
Intellectual Property Rights Who owns the IPR in the data? IPRs Copyright Database right Moral rights Trade marks Trade secrets, confidential information Data Sources Proprietary data Open data Big data analytics involves copying and processing data Key question: Are your ownership & license rights wide enough to cover the intended use? 21
Third Party Data Third party licensed data Open data Web scraping IPR infringement Breach of website terms and conditions Breach of applicable law e.g. CMA Ryanair v PR Aviation BV 22
Cyber-security Not just privacy issue confidential information / trade secrets / systems Analytics - increased reliance on external hosting/cloud computing solutions and third party service providers Treat cyber risks as strategic business risks Good practice, e.g.: Risk assessment and governance Employees Security by design Testing Insurance Third party providers 23
Liability Do not be seduced by Big Data s false charms! Liability risks if the data provided is erroneous/unreliable Reliability of raw data or results Correlation v causation Google Flu Trends Still needs to be regulated by humans Third party data back to back liability may be limited protection Insurance 24
Competition Risks Companies that are data rich acquiring other data rich companies could trigger merger control/abuse of dominant position concerns Google & DoubleClick, Facebook & WhatsApp Company holds data that other companies need and company is asked to provide third party access to that data EDPS 2014 report on "the interplay between data protection, competition law and consumer protection in the digital economy UK - CMA Call for Information The Commercial Use of Consumer Data 25
Managing Big Data Projects 26
Practice Tips (1) Start with the basics: what is the aim of the project what is the business issue the data will help solve? what data do we need for the project? is the data personal data? where is the data stored or processed? what rights do we have to process the data? Data Lifecycle Third party players Qualified resources Consider legal compliance from day 1 27
Practice Tips (2) Consider whether you need to use personal data at all, or whether you could use anonymised data Are you using analytics to identify general trends or make decisions that affect individuals? Identify and manage responsibilities If using data sets obtained from third parties, check the source and integrity Ensure appropriate contractual arrangements with third parties Ensure legal basis Demonstrate that collection is necessary to achieve purposes and that least privacy-intrusive methods are used Consider whether analysis is possible based on legitimate interest or whether consent needs to be sought 28
Practice Tips (3) If re-purposing consider whether the new purpose is incompatible with the original purpose or whether new consent is required Be specific Explain purposes, implications and benefits Avoid descriptions that are too vague or too general Break down general purposes Provide granular information to ensure all of the different purposes are sufficiently clear Include more details where purposes cannot be clearly derived from context Use layered notices Present information in a concise and user-friendly manner, while more detailed information should be accessible via links 29
Practice Tips (4) Be mindful of the non-privacy risks and issues too! Consider relevant law & regulation Ensure that you own the data or have the rights you need Have appropriate third party protections in place Address the cyber-security risks Beware the dictatorship of data Identify where analytics activity is happening Create a Big Data policy/checklist and training 30
Any questions? 31
Contacts Alex van der Wolk Partner, Berlin +31 20 703 1810 avanderwolk@mofo.com Susan McLean Of Counsel, London +44 20 7920 4045 smclean@mofo.com @sumolaw uk.linkedin.com/in/suemcleanmofo/ 32