Data processing practices are evolving faster than the law can adapt to them, according to a senior British lawyer at an international law firm specialising in data protection.
Ask a lawyer and a database administrator for their definitions of “delete” or “anonymise” and you will quickly realise the size of the task facing legislators around the world as they seek to define and prevent irresponsible and outright criminal uses of data in 2013.
Speaking to the Guardian, Bridget Treacy, leader of UK Privacy and Information Management practice at law firm Hunton & Williams stated her belief that legislation will always be playing catch up to technology in this area, adding “that’s just the way it is”.
Among the most contentious areas of data protection law in the UK are the dual concepts of anonymisation and pseudonymisation of data.
Anonymous data is data that is in such a format that it is impossible to establish the identity of any individuals whose details are contained in a database. Pseudonymous data has had personal details removed – such as names replaced with unique ID codes – but still contains sufficiently detailed information for someone to be able to establish the identities of individuals, even if this required combining it with a second database not held by the company in question.
If data is fully anonymised, it is no longer subject to the Data Protection Act (DPA), because it no longer relates to an identified or identifiable individual. In contrast, pseudonymous data remains personal data because it is capable of being related to an identified or identifiable individual, and thus remains subject to the DPA.
Chief among the challenges facing legislators in this area is the question of whether any individual dataset can be considered truly anonymous if its owner also holds the raw, personally identifiable data from which it was created.
“How do we decide whether the data is really anonymous when we hold all of the constituent elements of it?”, asks Treacy. “If I have a list of information where I’ve replaced individuals’ names with codes, but I also have – perhaps at another location – the same list with the names instead of the codes, I have pseudonymised information, but not anonymised information, if I can link the data sets.
“Our definition of personal data in the DPA refers not just to information that is readily to hand, but also to information that you are likely to obtain, so it takes a much broader perspective. I think therefore it is quite hard for companies to seek to anonymise data but still hold the keys that unlock it. Sometimes a trusted third party can be utilised to ensure the data sets are not combined.”
Ensuring true anonymisation is perhaps the single best example of an issue that is only going to become more complex as time passes and technology evolves. The ability to combine two or more datasets created by entirely distinct organisations and use common field headings to create personal data from pseudonymous data is now widely understood and relatively easy to build into legislative frameworks, but we are now seeing cases of firms using such datasets to create information that is more personal than the sum of its parts.
Take Raytheon, the multinational security firm which it was recently revealed has developed a proof of concept version of ‘spying’ software that uses information from social networking sites to gain an unprecedented level of insight into an individual’s social relationships and habits.
The product will, in effect, allow customers to spy on people using data they have themselves willingly provided to the likes of Facebook, Twitter, and FourSquare.
This example brings us to a second area where the law faces inherent challenges from technology in the realm of big data – the use of personal data for further purposes – such as analytics – and the handing over of data from the original collector to a third party.
“Under the current framework it is the processing [of data] that is restricted, which includes using data that has been collected for one purpose for an additional purpose, and also handing the data to third parties. Unless you can satisfy a legal basis for these activities, you can’t do it.”
The basis most UK organisations currently rely on is that of legitimate interests, which involves a balancing exercise between the reasonable interests of the company wanting to do the processing and the rights of the individuals whose information is held in the database.
Such comparatively flexible grounds may not be available to UK business for much longer, however. Representatives of the European data protection authorities last week published guidance emphasising that personal data cannot be processed for purposes incompatible with those for which it was initially collected.
The paper states that, “Personal data must be collected for specified purposes. The controller must therefore carefully consider what purpose or purposes the personal data will be used for, and must not collect personal data which are not necessary, adequate or relevant for the purpose or purposes which are intended to be served.”
Perhaps more pertinently, this setting out of purposes must occur “prior to, and in any event, not later than, the time when the collection of personal data occurs.”
Clearly this could have ramifications for organisations carrying out analytics on personal data, since the explorative approach that is commonplace today – get the data now, find out what it reveals later – would be incompatible with any legislation incorporating these changes.
Embedded into these topics is the issue of consent. It is probably fair to say that the overwhelming majority of people who use social networks are aware that in using these services they are providing the companies in question with large amounts of often very revealing personal information.
What many may not realise is that these companies are almost invariably passing on the very same data to marketing firms and – at the extreme end – the likes of Raytheon, for further processing, analysis and predictive modelling, so where does the law stand on consent and third party processing?
“Currently, consent is not always needed, but often individuals think their data can only be processed if they’ve given their explicit consent to it”, says Treacy. “There is, more broadly, an increasing expectation by individuals that they should have the ability to give or withhold consent whenever their data are going to be used, but my own view is that this is a little unrealistic.
“I certainly don’t want to have to give my consent every single time my data are used. There are many instances when I’m more than happy my data are used without having to do something actively.”
Treacy may have a point – studies have shown, for example, that levels of online security among web users tail off very quickly once a certain amount of time, money or effort is involved, and a 2011 UK survey showed that while just 7% of us read through to the end of terms and conditions, 21% have suffered as a result of failing to do so.
Regardless, article seven of the proposed EU regulations would see a tightening of the law on this issue. Where consent is relied on, the consent must be explicit. This includes the requirement that processors separate a request for consent from any other permissions involved in a particular transaction.
The ICO has expressed unease over this proposed amendment, on the grounds that it could prove “onerous and in many cases pointless”, going on to suggest that legitimate interests be used as an alternative.
Negotiations continue over this and other aspects of the proposed changes – such as the ‘right to be forgotten‘ power – with the EU’s Civil Liberties, Justice and Home Affairs Committee (LIBE) due to vote on the recommendations later this year.
Source: The Guardian