The rapid development of informatics and broad Internet use by the majority of institutions, enterprises and individuals has led to proliferation of transferred, collected and stored data. Most of data fall within the definition of personal data and they are subject to legal protection according to international, European and national legal texts. Moreover, health data processing is regulated by stricter rules. Big Data use is expected to contribute to greater efficiency of healthcare services, healthcare cost reduction and finally improvement of citizens’ health status. However, the risks in regards to cybersecurity and data privacy cannot be undermined.
Our present article focuses on the Guidelines on the protection of individuals with regard to the processing of personal data in a world of Big Data, as recently (23 January 2017) issued by the Consultative Committee of the Council of Europe’s Convention 108 regarding personal data.
1) Which are the main purposes of the new Guidelines?
The Guidelines are not legally binding but can be used for interpreting the provisions of Convention 108 as well as of national law. It should be noted that both the Convention and the Guidelines aim to enhance the protection of subjects’ fundamental rights to privacy and personal autonomy. The aforementioned texts adopt a more human rights approach, while EU legislation has a more market-oriented approach, regulating at the same time procedures conducted in Member States. In view of the Committee, the impressive advancements in the field of Data science and use of Big Data in various economic activities require that fundamental principles (data minimization, purpose limitation, fairness and transparency, free, specific and informed consent) correlate with the modern scientific and social conditions. In this way, the Committee attempts to prevent the negative impact of Big Data use on human autonomy and fundamental human rights.
2) How are “BIG DATA” defined in the Guidelines?
Since definitions proposed by experts vary, the Committee does not give a precise definition of the term, but suggests some of its basic conceptual elements, namely:
- The evolving technological capacity of collecting and processing data to extract new and predictive knowledge
- great volume of data
- great velocity of data transfer and processing
- variety of processed data, or heterogeneity (3 Vs)
According to the Committee the term “Big Data” covers big data analytics which refers to the analysis of all data collected in order to find patterns, infer situation, understand behaviors and support decision-making processes.
3) Which are the principal concerns about Big Data use? Did the Committee suggest any legal solution to these concerns?
The Committee highlights the possibility of the right to personal data protection being undermined, since admittedly complexity and vast volume of Big Data limit subjects’ control on their personal data. Big Data provide their processor with adequate means to reveal patterns and trends in the subject’s behavior and reach outcomes which are further used in more efficient evidence-based decision-making. As a result, the data may be processed for purposes other than the purposes the subject has consented to. However, the subject’s ability to control its data is based on appropriate information about the use of data in a way that the subject is able to perceive as well as on real freedom of choice. The legislator seeks to suggest solutions suitable for social needs of the modern era, taking into account the existing lack of knowledge on the part of individuals. In particular, he suggests a broader idea of control which can be realized through the conduct of an impact assessment, so that risks can be evaluated at a preventive level.
4) To whom do the Guidelines apply?
It is clearly stipulated that Guidelines should be followed by data controllers, data processors and Convention 108 contracting parties.
5) More specifically, which were the main points of the Committee’s Guidelines?
- Ethical and social implications of the intended Big Data processing shall always be examined and compliance with the ethical principles foreseen in Convention 108 shall be ensured.
- Basic ethical and social values, which may vary among different countries, should be respected and conflicts with them should be avoided. International fundamental human rights texts set the minimum protection level and should be followed.
- In case the impact assessment reveals a great conflict with ethical values, the ethical and legal issues arising shall be identified and evaluated by an independent ad hoc Ethics Committee, specially established for this purpose.
- The precautionary principle shall apply. This principle implies that data controllers must adopt preventive measures which safeguard personal data protection. In particular, according to this principle, the Committee considers necessary for data controllers to present the risk assessment in advance. The assessment shall examine the impact of Big Data processing to subjects’ rights, including the right to equal treatment and to non-discrimination.
- The Committee suggests the application of “Privacy by design” and “Privacy by default” principles. The former promotes an approach to systems engineering which takes privacy into account throughout the whole engineering process from the earliest design stages, while according to the latter, the measures that safeguard data protection shall constitute the “default” setting. These principles imply that data controllers and processors are obliged to minimize data usage up to the extent required for accomplishing the processing purpose. Furthermore, the Committee suggests that controllers or processors shall test the adequacy of the technical measures designed my means of simulations on limited amounts of data. The implementation of the aforementioned principles shall be regularly reviewed.
- Data controllers shall adopt anonymization techniques, which will be reviewed in order to adapt to the technological development. Additionally, their adequacy shall be illustrated in the impact assessment.
6) By which measures the Committee enhances the subject’s role?
- It promotes the active participation of interested stakeholders, including groups of individuals/data subjects in the risk/ impact assessment process.
- It represents that further processing of personal data in a way that the data subject might consider unexpected, inappropriate or otherwise objectionable should be forbidden.
- It makes clear that informed consent requires information about the potential risks as illustrated in the risk assessment. Given the complexity of Big Data use, the information provided shall be clear and understandable to the subjects consenting to their data processing. Learn–from–experience approach is suggested.
- It highlights that consent cannot be freely given when there is a clear imbalance of power between the data subject and data controller. Moreover, the burden of proof falls on the controller, who is required to prove that such imbalance does not exist or that this did not affect the subject’s decision to consent.
- Data controllers as well as processors shall adopt user-friendly procedures for data subjects to exercise their right to react and withdraw their consent.
7) Which is the Committee’s opinion with regard to the automatic decision-making?
It is clearly stated that Big Data use and Big Data analytics shall never impinge upon human autonomy in the decision making process. For this reason, decisions based on the results of Big Data analytics methods should consider all relevant circumstances in this context. Additionally, when decisions based on Big Data usage are likely to produce legal effects for the individuals or have a significant impact on fundamental human rights, specific reasoning shall be provided by a human decision-maker, upon request of the data subject. It is also foreseen that the person who takes the final decision shall be able to reject the decision produced in an automatic way. In any case, the subject’s right to challenge the decision shall be guaranteed.
Our law firm’s comment:
The rapid development of Informatics and Data Science has already affected economic and social relations and consequently, it has motivated legislators globally to regulate the provisions of lawful personal data processing, while taking into account the new advancements. As far as the healthcare industry is concerned, we observe a great revolution of digitization and Internet of Things, even though such revolution has occurred later than in other industries. Undoubtedly, Big Data applications may lead to incredible data disclosure with just a click. The opportunities for the healthcare industry and systems are very promising, but many challenges and concerns also emerge. We strongly believe that in this context, the need for compliance with the new legal rules is imperative and of added value for all businesses concerned.