Embed Size (px)
DESCRIPTION
Citation preview
It’s about Variety, not Volume”
Big data typically refers to the following types of data:
• Traditional enterprise data – includes customer information from CRM systems, transactional ERP data, web store transactions, and general ledger data.
• Machine-generated /sensor data – includes Call Detail Records (“CDR”), weblogs, smart meters, manufacturing sensors, equipment logs (often referred to as digital exhaust), trading systems data.
• Social data – includes customer feedback streams, micro-blogging sites like Twitter, social media platforms like Facebook
Defining Big Data
Beneficiaries
1. Individuals (example: Amazon)
2. Community (example: crash reports)
3. Organisation (example: UPS “ORION” project)
4. Society (fraud detection, anti-terrorism, ...)
Other risks
• Exclusion
• Prediction
• Preemption:
• Presumption
“Increasingly people constitute and enact their relations with one another through the use and exchange of data”
Data Protection Law
If you process personal data
- Only for explicit and legitimate purpose
- Declare the purpose to the supervisory authority
- Remain proportional to this purpose
- Prohibition to process data beyond this purpose
- ....
- Transparency / Security
EU Data Protection Directive 95/46
Electronic Privacy Law
• Specific rules for:
• online traffic data• location data• cookies• commercial communications• ...
EU ePrivacy Directive 2002/58
How do we apply this framework to “Big Data”?
• No single answer
• Legitimate ground
• Purpose limitation
• Transparency
• Security
On 25 January 2012 the European Commission has officially released a proposal for a comprehensive reform of the 1995 data protection rules
Will the new rules affect the domain of “Big Data”?
1. One single European law
If adopted, the proposed Regulation will be valid across the EU.
As a consequence, companies established in more than one EU country will no longer experience difficulties to cope with the divergent rules of the EU Member States.
2. Every company supervised by one data protection commissioner
Personal data processing by companies established in more than one EU country will be monitored by one single supervisory authority.
In principle this will be the data protection commission of the country where the company has its main establishment.
3. Also applicable to companies outside the EU
Theoretically the proposed Regulation claims to be applicable on the processing of personal data of data subjects residing in the EU by a controller not established in the EU,
… where the processing activities are related to the offering of goods or services to such data subjects, or to the monitoring of the behaviour of such data subjects.
4. Basic rules remain but would be better implemented
The supervisory authorities will be empowered to fine companies that violate EU data protection rules.
This can lead to penalties of up to €1 million or up to 2% of the global annual turnover of a company.
Moreover responsibility and liability of the controller for any processing of personal data is more clearly established.
5. Abolition of the general obligation to notify
The general notification obligation would be abolished, and replaced by procedures and mechanisms which focus instead on those processing operations which are likely to present specific risks.
6. Data protection officers
The controller and the processor would in the future be requested to designate a data protection officer in any case where:
(a) the processing is carried out by a public authority or body; or
b) the processing is carried out by an enterprise employing 250 persons or more; or
(c) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects.
7. Consent: always explicit
Tacit consent will no longer be sufficient as a legal ground for personal data processing.
Moreover consent can no longer be integrated into terms and conditions but must be presented distinguishable in its appearance from this other matter.
8. Right to be forgotten?
The right to erasure would be extended in such a way that a controller who has made the personal data public would be obliged to inform third parties which are processing such data that a data subject requests them to erase any links to, or copies or replications of that personal data.
9. “Data portability”
The data subject would be allowed to transmit those data, which they have provided, from one automated application, such as a social network, into another one.
This should apply where the data subject provided the data to the automated processing system, based on their consent or in the performance of a contract.
10. Security breach notification
As soon as a controller becomes aware that a personal data breach has occurred, he would be obliged to notify this breach to the supervisory authority without undue delay and, where feasible, within 24 hours.
The individuals whose personal data could be adversely affected by the breach would also have to be notified without undue delay in order to allow them to take the necessary precautions.
Profiling (proposed definition)
“any form of automated processing of personal data intended to evaluate certain personal aspects relating to a natural personal or analyse or predict in particular that natural person’s performance at work, economic situation, location, health, personal preferences, reliability or behaviour”.
Profiling: proposed conditions
Only “profile” people where
(1) necessary to enter into or carry out a contract;
(2) expressly authorised by EU law; or
(3) based on the data subject’s consent.
Jos Dumortiertime.lex - Information & Technology LawCongresstraat 35B-1000 Brussel(t) +32 (0)2 229 19 47www.timelex.eu / [email protected]
