World's Data Protection Leaders Highlight Internet of Things, Big Data Privacy Risks

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Stephen Gardner

Oct. 15 —Data protection officials at the 36th International Conference of Data Protection and Privacy Commissioners in Balaclava, Mauritius, Oct. 15 adopted a declaration on the Internet of things and a resolution on big data analytics, warning that they may fundamentally threaten the independence of individuals to make free decisions.

Jacob Kohnstamm, chairman of the Dutch data protection authority and outgoing chairman of the executive committee of the International Conference of Data Protection and Privacy Commissioners, said compliance by companies with current privacy principles might be insufficient to protect against the “manmade tsunami of big data,” which could lead to a situation in which “full individual development will become an illusion.”

Kohnstamm said the Internet of things—devices attached to the Web—combined with big data analytics—the analysis of data from combined large databases—might result in people being treated by companies and governments on the basis of which consumer segment or category they fall into.

The growing sophistication of big data analytics means that increasingly finely defined categories of consumers can be created, he said.

This could result in the choices presented to people being based on their categorization, which would “deprive people of free choice” and could be a “frightening manifestation of digital predestination,” Kohnstamm said.

The group also adopted resolutions on privacy in the digital age and enforcement cooperation between data protection authorities.

Internet of Things Declaration

The data protection commissioners Oct. 14 adopted in closed session the Mauritius Declaration on the Internet of things, saying that “personal development should not be defined by what business and government know about you,” but that “the proliferation of the Internet of things increases the risk that this will happen.”

The Mauritius Declaration said data derived from devices connected to the Internet should be regarded as personal data because it is “high in quantity, quality and sensitivity,” and even if data is anonymized, “identifiability becomes more likely than not.”

Consequently, the application of privacy principles should be carefully respected in Internet of things applications, including the need to obtain informed consent from data subjects and ensuring purpose limitation of collected data, the declaration said.

Kohnstamm said that, in effect, information is collected from consumers without consent because the “legal abracadabra” of privacy policies means that consent that is given often cannot be regarded as having been informed consent.

Companies collecting personal data via Internet of things applications should be more transparent and should apply principles of privacy by design and default, the Mauritius Declaration said. 

Isabelle Falque-Pierrotin, president of the French data protection authority (CNIL), and chairman of the Article 29 Working Party of data protection officials from the 28 European Union member states, said the Mauritius Declaration had to a great extent been informed by a September opinion of the Art. 29 Party.

A central data protection issue regarding the Internet of things is how to give data subjects control, Falque-Pierrotin said. The Internet of things should “stay under the control of the user, but of course the user does not really understand how it works.”

Data Security Risks

The Mauritius Declaration also said the Internet of things poses “significant security challenges,” in particular when data collected by a device are transferred elsewhere.

Ideally, data should be processed by the device that collects the data, the declaration said.

Edith Ramirez, chairman of the U.S. Federal Trade Commission, said that “data security is one of the most significant challenges we face,” and that many companies collecting data make basic security mistakes.

“I think this problem is going to get dramatically worse,” which highlights the need for companies to implement privacy by design, Ramirez said.

The Mauritius Declaration said that if data cannot be processed on Internet of things devices, companies should “ensure end-to-end encryption,” as the data are transferred.

Big Data Challenge

The conference resolution on big data said that big data could “challenge key privacy principles, in particular the principles of purpose limitation and data minimization.”

Kohnstamm said that the aim of data protection was “surprise minimization,” but that big data “aims for surprise maximization” by discovering previously unrealized connections that can be used in predictive applications, such as on the side effects of medicines or the spread of diseases.

The conference resolution on big data said users of big data should respect data protection principles and should also “give individuals access, where appropriate, to information about the key inputs and the decision-making criteria (algorithms) that have been used as a basis for development of the profile.”

“Such information should be presented in a clear and understandable format,” the resolution added.

FTC Commissioner Julie Brill said that consumers need “better control and transparency tools” and that companies involved in big data have a responsibility to not allow the use of big data analytics to increase discrimination, for example by segmenting consumers on the basis of race or religion.

However, big data could also be used for socially positive purposes, and if companies fully respect privacy principles, it would “improve big data's chances for success,” Brill said.

Ramirez said big data “has the capacity to save lives and enhance government services” but could also “reinforce disadvantages faced by low-income and underserved communities.”

Several speakers said that data protection authorities should encourage companies to go further than legal compliance and adopt an ethical approach to privacy, as part of an approach to offset the risks of the Internet of things and big data.

To contact the reporter on this story: Stephen Gardner in Balaclava, Mauritius at correspondents@bna.com

To contact the editor responsible for this story: Donald G. Aplin at daplin@bna.com

The Mauritius Declaration is available at http://www.privacyconference2014.org/media/16421/Mauritius-Declaration.pdf.

The Resolution on Big Data is available at http://www.privacyconference2014.org/media/16427/Resolution-Big-Data.pdf.