Big Data & Issues & Opportunities: Transparency, Consent, Control and Personal Data Ownership
In this seventeenth article in our series on "Big Data & Issues & Opportunities" (see our previous article here), we look into the social and ethical aspects of privacy, with a particular focus on transparency, consent and control, and personal data ownership in a big data context. This article further elaborates, from an ethical perspective, the second and twelfth articles of our series. Where relevant, illustrations from the transport sector will be provided.
Privacy is probably the most recurrent topic in the debate on ethical issues surrounding big data, which is not illogical given that the concepts of big data and privacy are prima facie mutually inconsistent.[1] Indeed, the analysis of extremely large datasets may include personal data, and the more personal information included in the analytics, the more it might interfere with the privacy of the individuals concerned.[2] In this context, the question of ownership over personal data is also raised, as individuals tend to have a sense of ownership over their personal data.
These aspects are also discussed in the recently published Ethics Guidelines to achieve trustworthy Artificial Intelligence ("AI"), issued by the Independent High-Level Group on Artificial Intelligence (AI HLEG) set up by the European Commission. The Guidelines list seven key requirements, including privacy and data governance and transparency, and suggest technical and non-technical methods to implement them. The Guidelines also provide an assessment checklist to ensure AI takes into account the ethical requirements.[3]
Setting the scene on privacy from an ethical perspective
The EU Charter of Fundamental Rights ("EU Charter") codifies the concept of privacy as a fundamental right in Article 7, according to which: "Everyone has the right to respect for his or her private and family life, home and communications."
Article 8 of the EU Charter provides specific fundamental rights and principles in relation to the protection of one's personal data in the following terms:
- Everyone has the right to the protection of personal data concerning him or her.
- Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.
- Compliance with these rules shall be subject to control by an independent authority.
The first Recital of the General Data Protection Regulation ("GDPR"), which entered into force in May 2018, further elaborates Article 8 of the EU Charter. Nevertheless, Recital 4 of the GDPR clearly favours a balanced approach by stating that "the right to the protection of personal data is not an absolute right; it must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality".
Ethical challenges and opportunities for privacy
After years of wilful abuse or unintentional ignorance in respect of people's personal data, the entry into force of the GDPR has increased the protection of individuals' personal data by obliging companies to abide by a strict set of rules. This Regulation addresses several ethical issues, including transparency, consent and control. The GDPR notably provides for the following:
-
a strengthened principle of transparency in relation to personal data processing, ensuring better information to individuals about the processing of their personal data[4]
-
the requirement that any processing should be lawful, i.e. based on a legal ground[5]
-
extended and strengthened rules on consent[6]
-
new and reinforced rights for individuals aiming at giving individuals more control over their personal data, i.e. the rights of access, rectification, erasure, restriction of processing, data portability, objection and the right not to be subject to automated individual decision-making[7]
The GDPR has raised the public's awareness in relation to privacy and data protection, which should improve end-users' trust in the use of personal data by private and public organisations. This may encourage them to communicate their personal data, and therefore improve big data analytics. [8] This development can be seen as an opportunity by companies to guarantee high data protection standards and distinguish themselves from their competitors, particularly in a big data context where considerable amounts of data may be processed.
Although this can be qualified mostly as a positive evolution, it has also had some undesirable side effects, mainly due to incorrect reports on the GDPR's exact content, creating confusion both among data subjects and organisations. This is for example the case for the data subject rights, which are often considered as being absolute whereas in some conditions data subjects will not be able to exercise those rights. Both industry and government should take up responsibility to eliminate the existing misconceptions and educate data subjects about privacy and big data analytics in order to encourage the use of big data.
Furthermore, even though the GDPR is now applicable throughout the EU as one single set of rules, the expectations regarding privacy may vary between individuals or situations.[9] It will therefore be difficult for companies and developers to adopt a one-size-fits-all approach, with the risk of opting for the strongest protection and therefore limiting big data analytics using personal data.
Transparency
The concept of transparency is indirectly included in Article 8 of the EU Charter, which states that "Everyone has the right of access to data which has been collected concerning him or her". This entails that individuals have the right to be informed about any processing activities of their personal data.[10] In a big data context, this also refers to the transparency of the big data analytics, i.e. the entire ecosystem of big data analytics, the algorithms used to make predictions about individuals, and the decision-making process.[11]
Transparency regarding personal data processing activities and big data analytics may increase individuals' trust in the processing activities and the technology used. Moreover, it also ensures safer tools as transparency allows individuals to verify the conclusions drawn and correct mistakes.[12]
Today individuals' trust is however negatively affected by a lack of transparency, particularly in a big data environment.[13] Individuals are indeed not always aware of the exact nature of the processing activities and of the logic of algorithms and the decision-making process behind big data analytics.[14] This challenge is even more important considering citizens' limited knowledge about big data analytics[15], particularly the possibility to combine individuals' personal data with other accessible data, allowing to make more accurate and broader decisions or predictions.[16]
From the perspective of organisations, transparency is also a challenge in the sense that some of them are reluctant to be transparent, invoking business confidentiality or trade secrets protection. In this respect, it is worth noting that other means of protection of information exist, such as intellectual property rights (see the ninth article of our series on Intellectual Property Rights).[17]
Consent
The concept of consent has been foreseen in Article 8 of the EU Charter stating that "Such [personal] data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law." This means that any processing of personal data should be based on individuals' consent or on another legitimate ground.
The GDPR defines consent as "any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her."[18]
Collecting individuals' consent does not mean that the organisations processing the data are free to process the data as they wish. They are still accountable and have to meet the privacy standards (ethical, legal, etc.).[19] It is also worth noting that if individuals have given their consent for a particular personal data processing activity, they also have the right to withdraw their consent.
As explained in the second article of our series on Privacy and Data Protection, the GDPR requires all data processing activities to be lawful, i.e. based on a legal ground[20], which means that, from a legal perspective, consent is not always needed and other legal grounds might be applied.[21] This is another misconception of the GDPR, highlighting the lack of awareness and transparency observed among individuals.[22] By informing individuals, notably through transparent notices, about the grounds for processing and the possible impacts on their privacy, they will indeed be more inclined to participate in big data analytics.[23]
It is worth noting that relying on consent in the context of big data analytics may be risky, given that when an individual decides to withdraw consent, as foreseen in the GDPR[24], the big data analytics process may be completely jeopardised.
|
Illustration in the transport sector: Self-driving cars will collect a high amount of personal data about the users but also about the environment of the car (neighbourhood, other drivers, etc.), and those data may be shared with many stakeholders. Users might be reluctant to give their consent to such massive processing of their personal data. However, without such processing activities, self-driving cars would not work properly and safely. Indeed, a high amount of partners will be involved in such ecosystem to make it function. It might be that individuals will have no other choice than to accept such processing.[25] From a legal perspective, the GDPR introduces different lawful bases for processing (see the second article of our series on Privacy and Data Protection). |
Control
The concept of control is implied in Article 8 of the EU Charter, particularly when referring to the "consent of the person concerned", "the right of access to data which has been collected", and "the right to have it rectified". Several aspects of the GDPR, such as transparency, consent, and data subjects' rights, also allow individuals to retain control over their personal data, including in a big data environment.
Today, there is an asymmetry of control over personal data between data subjects and the organisations processing the data.[26] In a big data context, individuals indeed hardly control their personal data, and are sometimes not aware of the processing activities in which their data are involved, which may lead to decisions that individuals do not understand.[27] In addition, data subjects may fear losing control over their digital identity by engaging in big data analytics as they are not consulted anymore, nor taken into account in the decision-making process, which means that they might be discriminated without having the possibility to react.[28]
This is why giving more control to individuals, and ensuring transparency, should improve big data analytics, by allowing them to rectify mistakes, detect unfair decisions, and make better choices.[29] In this way, they will benefit from the processing of their personal data in a big data context, and therefore feel more inclined to participate in data processing activities for big data purposes.
|
Illustration in the transport sector: Civil drones collect data intentionally and unintentionally, especially pictures about individuals, which can give indications about their location, habits, physical characteristics, etc. In their survey about the use of civil drones and their related privacy, data protection and ethical implications, Finn and Wright explain that in some instances the images captured by drones are recorded, stored and shared with other organisations. Individuals are not aware of such processing and have therefore no control over their data. According to Finn and Wright, awareness and legal initiatives are necessary to improve knowledge about legal and ethical standards in order to be able to raise and tackle those issues.[30] |
Setting the scene on personal data ownership
For some time already, the issue of ownership of data (whether it is personal or non-personal) has been heavily debated throughout the EU and in other parts of the world. While it could be labelled as a legal issue, given that ownership or property is traditionally a legal concept going back as far as the legal system of ancient Rome (see the twelfth article of our series on Data Ownership), the personal aspect of data ownership has an ethical connotation that is worth being looked into.
The EU Charter recognises the right to property or ownership in its Article 17 in the following terms:
"Everyone has the right to own, use, dispose of and bequeath his or her lawfully acquired possessions. No one may be deprived of his or her possessions, except in the public interest and in the cases and under the conditions provided for by law, subject to fair compensation being paid in good time for their loss."
Individuals seem to have a general sense that they own their personal data given that the data is about them or relates to them.[31] Moreover, where the personal data is particularly sensitive in nature, individuals even more vehemently tend to claim it as their own.
'Personal data' is defined by Article 4(1) of the GDPR as "any information relating to an identified or identifiable natural person (‘data subject’)", whereas an 'identifiable natural person' is defined as "one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person".
As explained above, the entry into force of the GDPR has increased the control individuals have over the collection, processing, and sharing of their personal data.[32] This evolution seems to create a certain impression of personal data ownership. For instance, some scholars highlight the fact that the GDPR "recognises different levels of control rights to consumers in accordance with a 'proprietarian' approach to personal data."[33] More specifically, some have emphasised that in practice personal data is perceived as an individual's property.[34]
Challenges and opportunities for personal data ownership
Even if the GDPR and some EU Member States' laws grant important rights to data subjects, they do not regulate the question of data ownership and therefore do not explicitly recognise a "property" right of individuals in their data. In our view, the GDPR only regulates the relationship between the data subject and the data controller(s)/processor(s), without creating and regulating the issues of commercially exploitable rights in personal data.[35]
This view is supported by the manner in which the right to property is recognised in the EU Charter; i.e. the right to own […] his or her lawfully acquired possessions. Personal data is not a possession that can be acquired by the data subject, be it lawfully or not. It is information that attaches to an individual because of his/her persona. Consequently, personal data protection is not conditional upon an act of acquisition on behalf of the data subject. To claim otherwise would go against the data protection principles of the GDPR and the rights to respect for private and family life and to protection of personal data enshrined in the EU Charter.
Whereas personal data is something inherent to and indivisible from the individual, it may be lawfully – i.e. in compliance with the data protection rules – acquired by third parties, either directly from the data subject or through other sources. Such interpretation would fit within the definition of the right to property under the EU Charter. This being said, any such "ownership" right subsisting in personal data to the benefit of third-party natural or legal persons, would be restricted by the application of the GDPR and notably by the rights of data subjects.[36]
In a big data ecosystem, this tension between data subjects wanting to "own" their personal data and third parties claiming ownership over entire datasets could stifle innovation. Indeed, as long as data subjects do not volunteer their personal data, they retain some type of de facto ownership or at least control. Therefore, data subjects may refrain from providing their personal data as soon as they realise this would entail forsaking "ownership" or control over such data. In addition, even if data subjects willingly provide their personal data, it proves highly difficult, if not impossible, to establish ownership of different data components, given that they are part of datasets containing data from various types and originating from various sources. Furthermore, taking into account the various actors involved in the big data ecosystem, many different entities may try to claim ownership in (parts of) the dataset, including in the personal data components.
An additional complicating factor is that the scope of what can be qualified as personal data is constantly evolving.[37] Certain types of information (e.g. IP addresses) that would not necessarily have been qualified as personal data under the previous Data Protection Directive, are now recognised to be personal data under the GDPR. This is not only due to the fact that the legal definition of personal data has been broadened, but also because of continuous technological developments facilitating the identification or linking back to an individual.
In conclusion, a claim of ownership by a data subject in its personal data would be hard to sustain. This however does not mean that data subjects have to give up all control over their personal data. The advent of the GDPR, with its novel and/or strengthened data subject rights, has increased the means of data subjects to exercise control over the processing of their personal data.
This series of articles has been made possible by the LeMO Project (www.lemo-h2020.eu), of which Bird & Bird LLP is a partner. The LeMO project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement no. 770038.
The information given in this document concerning technical, legal or professional subject matter is for guidance only and does not constitute legal or professional advice.
The content of this article reflects only the authors’ views. The European Commission and Innovation and Networks Executive Agency (INEA) are not responsible for any use that may be made of the information it contains.
[1] European Data Protection Supervisor, 'Opinion 4/2015 Towards a New Digital Ethics' (EDPS 2015) <https://edps.europa.eu/sites/edp/files/publication/15-09-11_data_ethics_en.pdf> accessed 23 August 2018; European Data Protection Supervisor, 'Opinion 7/2015 Meeting the Challenges of Big Data: A Call for Transparency, User Control, Data Protection by Design and Accountability' (EDPS 2015) <https://edps.europa.eu/sites/edp/files/publication/15-11-19_big_data_en.pdf> accessed 23 August 2018; European Union Agency for Network and Information Security, 'Privacy by Design in Big Data – An Overview of Privacy Enhancing Technologies in the Era of Big Data Analytics' (ENISA 2015) <https://www.enisa.europa.eu/publications/big-data-protection> accessed 23 August 2018; Evodevo, 'The Ethics of Big Data: Balancing Economic Benefits and Ethical Questions of Big Data in the EU Policy Context' (European Economic and Social Committee 2017) <https://www.eesc.europa.eu/resources/docs/qe-02-17-159-en-n.pdf> accessed 23 August 2018
[2] Tobias Holstein T, Dodig-Crnkovic G and Pelliccione P, 'Ethical and Social Aspects of Self-Driving Cars' (2018) abs/1802.04103 CoRR arXiv:1802.04103
[3] High-Level Expert Group on Artificial Intelligence, "Ethics Guidelines for Trustworthy AI" (European Commission, 8 April 2019) <https://ec.europa.eu/futurium/en/ai-alliance-consultation/guidelines> accessed 15 April 2019
[4] GDPR, Art. 5.1(a) and 12
[5] GDPR, Art. 6
[6] GDPR, Art. 7
[7] GDPR, Chapter III, Art. 12-22
[8] Evodevo, 'The Ethics of Big Data: Balancing Economic Benefits and Ethical Questions of Big Data in the EU Policy Context' (European Economic and Social Committee 2017) <https://www.eesc.europa.eu/resources/docs/qe-02-17-159-en-n.pdf> accessed 23 August 2018; Jaimee Lederman, Brian D. Taylor and Mark Garrett, 'A Private Matter: The Implication of Privacy Regulations for Intelligent Transportation Systems' (2016) 39(2) Transportation Planning and Technology 115
[9] World Economic Forum in collaboration with Bain & Company, Inc., 'Personal Data – The Emergence of a New Asset Class' (World Economic Forum 2011) <http://www3.weforum.org/docs/WEF_ITTC_PersonalDataNewAsset_Report_2011.pdf> accessed 23 August 2018
[10] EDPS, Opinion 7/2015
[11] EDPS, Opinion 7/2015; Tobias Holstein T, Dodig-Crnkovic G and Pelliccione P, 'Ethical and Social Aspects of Self-Driving Cars' (2018) abs/1802.04103 CoRR arXiv:1802.04103
[12] EDPS, Opinion 7/2015
[13] Jaimee Lederman, Brian D. Taylor and Mark Garrett, 'A Private Matter: The Implication of Privacy Regulations for Intelligent Transportation Systems' (2016) 39(2) Transportation Planning and Technology 115
[14] European Union Agency for Network and Information Security, 'Privacy by Design in Big Data – An Overview of Privacy Enhancing Technologies in the Era of Big Data Analytics' (ENISA 2015) <https://www.enisa.europa.eu/publications/big-data-protection> accessed 23 August 2018; EDPS, Opinion 7/2015; Article 29 Data Protection Working Party, 'Opinion 3/2013 on purpose limitation' (WP29 2013) <http://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2013/wp203_en.pdf> WP203 accessed 23 August 2018
[15] Evodevo, 'The Ethics of Big Data: Balancing Economic Benefits and Ethical Questions of Big Data in the EU Policy Context' (European Economic and Social Committee 2017) <https://www.eesc.europa.eu/resources/docs/qe-02-17-159-en-n.pdf> accessed 23 August 2018
[16] EDPS, Opinion 7/2015
[17] EDPS, Opinion 7/2015
[18] GDPR, Art. 4(11)
[19] EDPS, Opinion 4/2015
[20] GDPR, Art. 5(1)(a)
[21] GDPR, Art. 6. Article 9 of the GDPR also provides legal grounds specific to the processing of special categories of personal data (i.e., data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, health data, data concerning a natural person's sex life or sexual orientation).
[22] Elizabeth Denham, 'Blog: Consent is not the "Silver Bullet" for GDPR Compliance' (Information Commissioner's Office 2017) <https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2017/08/blog-consent-is-not-the-silver-bullet-for-gdpr-compliance/> accessed 24 August 2018
[23] Evodevo, 'The Ethics of Big Data: Balancing Economic Benefits and Ethical Questions of Big Data in the EU Policy Context' (European Economic and Social Committee 2017) <https://www.eesc.europa.eu/resources/docs/qe-02-17-159-en-n.pdf> accessed 23 August 2018
[24] GDPR, Art. 7(3)
[25] Caitlin A. Surakitbanharn and others, 'Preliminary Ethical, Legal and Social Implications of Connected and Autonomous Transportation Vehicles' <https://www.purdue.edu/discoverypark/ppri/docs/Literature%20Review_CATV.pdf> accessed 23 August 2018
[26] Melanie Swan, 'Philosophy of Big Data: Expanding the Human-data Relation with Big Data Science Services' in '15 Proceedings of the 2015 IEEE First International Conference on Big Data Computing Service and Applications (IEEE, 2015) 468-477 DOI: 10.1109/BigDataService.2015.29
[27] EDPS, Opinion 7/2015; WP29, Opinion 3/2013
[28] EDPS, Opinion 7/2015; Norwegian Data Protection Authority, 'Big Data Report' (Datatilsynet 2013) 7 <https://www.datatilsynet.no/globalassets/global/english/big-data-engelsk-web.pdf> 23 August 2018; Evodevo, 'The Ethics of Big Data: Balancing Economic Benefits and Ethical Questions of Big Data in the EU Policy Context' (European Economic and Social Committee 2017) <https://www.eesc.europa.eu/resources/docs/qe-02-17-159-en-n.pdf> accessed 23 August 2018
[29] Ibid
[30] Rachel L. Finn and David Wright, 'Privacy, Data Protection and Ethics for Civil Drone Practice: A Survey of Industry, Regulators and Civil Society' (2016) 32(4) Computer Law & Security Review 577
[31] World Economic Forum in collaboration with Bain & Company, Inc., 'Personal Data – The Emergence of a New Asset Class' (World Economic Forum 2011) 16 <http://www3.weforum.org/docs/WEF_ITTC_PersonalDataNewAsset_Report_2011.pdf> accessed 23 August 2018
[32] Alex Howard, Data for the Public Good (O'Reilly Media Inc. 2012) 23
[33] Gianclaudio Malgieri, 'Property and (Intellectual) Ownership of Consumers' Information: A New Taxonomy for Personal Data' (2016) 4 PinG 133; Jacob M. Victor, 'The EU General Data Protection Regulation: Toward a Property Regime for Protecting Data Privacy' (2013) 123(2) Yale Law Journal 266
[34] Nadezhda Purtova, 'The Illusion of Personal Data as No One’s Property' (2015) 7(1) Law, Innovation and Technology 83
[35] European Data Protection Supervisor,' Ethics Advisory Group Report 2018' (EDPS 2018) 25 <https://edps.europa.eu/sites/edp/files/publication/18-01-25_eag_report_en.pdf> 23 August 2018
[36] See in the same vein, in the context of disclosure of chemical data, the Court Order of the EU General Court in case T-189/14 wherein the President examines in obiter dictum the question of privacy (Case T-189/14 R Deza a.s v Agence européenne des produits chimiques [2014] ECLI:EU:T:2014:686). More particularly, the President acknowledges the relevance of the question of privacy of legal entities but nevertheless reminds, on the basis of the decision of the Court of Justice of the EU in case C-450/06, that it may be necessary to prohibit the disclosure of information qualified as confidential in order to preserve the fundamental right to privacy of an undertaking (Case C-450/06 Varec SA v État belge [2008] ECLI:EU:C:2008:91).
[37] Václav Janecek, 'Ownership of Personal Data in the Internet of Things' (2018) forthcoming in the Computer Law & Security Review
