Huge amounts of data, including personal data, are currently being created. If we are to believe IBM, 90% of the existent data today was created in the last two years. Big data presents extremely interesting opportunities for research. But is big data, which is characterized by volume, variety and velocity, reconcilable with data protection laws?
Law and order
The current data protection legislation was made at a time when big data was not yet an issue. It contains certain principles, which are really strict. For example, you may only collect personal data for specified, explicit and legitimate purposes. You may only collect personal data that is relevant, adequate and not excessive in relation to the purposes for which the data is collected. The issue is that, in the context of big data, you are excessively collecting and processing data, often for purposes that were not initially intended. “This is a huge problem,” says Heidi Waem, Senior Associate at NautaDutilh. “You sit on an amount of data and you want to try to discover something else. In principle, this is not allowed." The European Commission is working on the General Data Protection Regulation, which will replace the current legislation. Unfortunately, this Regulation is based on the same stringent principles and does not take into account the specific nature of big data.
Let's just make it anonymous then?
In a big data context, is true anonymization still possible?
Anonymization is the classic means to escape the field of application of data protection laws, since these laws only cover personal data. “But, in a big data context, is true anonymization still possible? With the powerful analytical tools that we have today, when you start combining datasets, is it still possible to talk about anonymous data?” Waem asks. “At a certain point, won’t all data be personal data, as there is an increasing likelihood of re-identification?”
The Internet of Things is another hot topic. As with all new technologies, it has a lot of benefits, but it also bears important risks. Waem comments: “The main risk is security. Manufacturers should really think about the safety of smart devices as of their conception. A driverless car could be hacked, or photos from your sleeping baby — taken by your hi-tech baby monitoring device — could appear on the internet.”
In the globalized world of today, companies are transferring their data everywhere, often without knowing where the data will eventually end up.
Data is flowing everywhere. It is stored in the cloud, but where are the servers and systems? This can be a problem, as there are strict rules for transferring data outside of the European Economic Area. In principle, personal data cannot be transferred outside of the EEA. However, there are certain mechanisms for legitimizing transfers outside of the EEA, such as EU model clauses. Previously, transfers to the US could also take place under the Safe Harbor program. But, since the Schrems decision of the European Court of Justice, it is no longer possible to rely on Safe Harbor. “Transferring data is a complicated matter,” Waem says. “In the globalized world of today, companies are transferring their data everywhere, often without knowing where the data will eventually end up.” Under the new Regulation, the mechanisms for transferring data remain the same. Furthermore, the European Commission is working, together with the US, on a so-called Privacy Shield for data transfers to the US.
The potential of big data is huge; it might contain the key to easy diagnosing rare diseases and even finding cures for diseases which are difficult to treat. But at this stage, development based on big data is hampered due to unsuited data protection laws. “Concerted actions are necessary to provide a framework that protects personal data without hampering innovation based on big data,” concludes Waem. It will be a challenge to gather all the involved parties and to make them look in the same direction.
This article is a report of the keynote presentation by Heidi Waem, Senior Associate, NautaDutilh, on the Janssen - FlandersBio Partnerday, March 3, 2016