EU Commission rules for algorithms processing big data
On 2017 January, 23 the Consultative Committee of the Convention on the Protection of Individuals with regard to Automatic Processing of Personal Data, also known as Convention n. 108, has issued the Guidelines on the protection of individuals with regard to the processing of personal data in a world of big data.
These Guidelines are providing to Parties a general framework for applying policies and measures in the context of Big Data under Convention 108 provisions. Drafting guidelines answers to the ongoing process of modernization and are addressed to rule-makers, controllers and processors.
Definition of Big Data
Big Data refers to a large amount of data processed, combined and analyzed out of the traditional techniques. Those data that are unstructured, or very large, or time sensitive, require a different processing approach, called Big Data. It is an automated process that runs millions of simulations, tweaks and monitors millions of variables, valuing their impact on the results. To help these tasks, artificial intelligence and machine learning are often involved by projects around Big Data.
Identification of data are provided by computers thanks to image recognition or natural language processing, in a more quick and reliable way than spreadsheets and databases can do. Spreadsheets and database has served as data storage until 2000’s, when actions leaving digital trails have increased a lot, generating ever-growing amount of data.
From the beginning of internet to early 2000’s we created as much data as we now create every two days, and at an increasingly rate. This is because almost every action taken online leaves a digital trail. Actions as GPS navigating with our smartphone or chatting through social media applications, or shopping online, generate data that are gathered and then shared by home servers.
How collecting data can be useful to make predictions and decisions quicker and smarter
Collecting this data is aimed to use them to our advantage. From business to travels, the more data you collect, the more information you know, the more reliably you can make quicker predictions and smarter decisions.
Predictions are useful for many purposes and not only for internet related ones. For example, industry companies are now able to target their services and products toward more and more accurate segments of costumers. Healthcare benefits from working on big data involving medical records, since analyzing much more images, records and patterns can help spot diseases earlier.
Environment benefits too, since sensor data are now much easier to elaborate and allow to predict where earthquakes are likely to strike next. Predictions applies to preventing crimes thanks to data-driven strategies that allow to deploy resources more efficiently.
Among big data we generate with our daily actions, there are a lot of information about ourselves and our personal lives. They are personal and should not be submitted to extraneous acknowledge but, at the same time, they are instruments to reveal better services by industries which can offer tailored experiences upon our characteristics.
To grant a balance between personal data we submit to Big Data and empowered services that this new technology offers, there are organization overseeing the advantage of data taken by industry, just as Consultative Committee of Convention 108 is called to do.
1981 is the fundation year for EU data protection policy
With a 1981 treaty that protects right to privacy of individuals, the Council of Europe issued the Convention for the protection of individuals with regard to automatic processing of personal data. The treaty, and consequently the Convention, is the first legally binding international instrument for data protection and it was ratified by all the Members of the Council of Europe.
Guidelines address to controllers and processors of Big Data
Measures recommended by Guidelines are addressed to controllers and processors of Big Data. Main scope is to prevent any negative impact of Big Data processing on human dignity, human rights, individual and collective freedoms. The guidelines are adopted under the principles of Convention 108 to protect data subjects’ rights with regards to the processing of personal data.
Risks can attain to legal, social and ethical implications and can concern the effective informed consent given by individuals.
Every field of application of Big Data, such as health sector or law enforcement, should then be complemented with further guidance and tailored best practices.
Ethical and social values behind Guidelines provisions
Most important among principles expressed by guidelines is the ethical and socially aware use of data. Under this principle, Parties should take into account all ethical and social implications to safeguard human rights and fundamental freedoms, and compliance with data protection obligations under Convention 108.
Processing personal data should in no way be in conflict with ethical or societal values as commonly accepted in the relevant community, nor it should prejudice human rights as referred to by European Convention on Human Rights or by an ad hoc independent committee whose purpose is to identify specific ethical values to be safeguarded in the use of data.
According to the second guideline, controllers should adopt preventive policies to limit risks and impacts on individuals and society. The use of Big Data may affect not only individual privacy but also collective dimension of rights such as equal treatment and non-discrimination. These preventive policies should contain a risk assessment to balance different interests at stake. In fact, it should be examined by controllers whether processing Big Data has a negative outcome on individuals’ rights and fundamental freedoms.
Privacy by design and privacy by default solutions are considered best choices to mitigate risks
To mitigate the risks, controllers should provide “by design” and “by default” solutions while monitoring their adoption and their effectiveness.
Processing personal data should be only for specified and legitimate purposes, compatible with them. Data subject should not consider the processing as unexpected, inappropriate or objectionable and his consent must result free, specific, informed and unambiguous.
Principles to whom processing Big Data must comply, are those of transparency and fairness. The result is public availability of assessment process without prejudice to secrecy safeguarded by law, according to which, controllers and processors adopt by-design solutions in collection and analysis stages, to minimize negative impact on rights and freedoms or safeguarding sensitive information.
The consent of concerned person must be free, specific and unambiguous to be valid
For the consent to be free, specific, informed and unambiguous, the principle of transparency of data processing requires related information to be comprehensive of the outcome of the assessment process and should include simulations to provide easier and more user-friendly technical ways and make it clear that there is no imbalance of power between data subject and controller.
Principles of data protection apply every time identification or re-identification of individuals is possible. In this case, controllers should ensure adequate and effective measures to anonymize data. To prevent identification or re-identification of the persons concerned, technical measures may be combined with legal or contractual obligations and controllers should regularly review anonymization techniques in light of technological development.
Human intervention is not subsidiary in the decision-making process
Despite large scale of technology, Guidelines of Convention 108 preserve the autonomy of human intervention in the decision-making process. It is a necessary measure because instruments that are technologically perfect are not calibrated to detect challenges and transformations behind social definition of privacy.
Cooperation among States and law entities
Since Big Data analytics impact directly on individuals’ rights, international law entities are focusing to cooperate on dismantling any risk connected to processing data whose usage can affect individual rights or produce legal effects.
Privacy by design and privacy by default is the approach Guidelines recommend as the best way to prevent ambiguity, lack of transparency or any other negative consequence of processing Big Data and for providing concerned persons with the reasoning underlying the processing and its related consequences, and elements demonstrating the absence of discrimination, should it be presumed.
In summon, Convention’s provisions safeguard rights outlawing the processing of sensitive data on person’s race, religion, health, without proper legal bindings and enforces individuals’ right to know by whom their information is stored and how to ask for their emendation when needed, allowing restriction of protected rights only for overriding interests as State defence.
Convention 108 has been modernized on 2018
To strengthen Convention’s implementation and to deal with evolution of new information and communication technologies, the Council of Europe considered necessary a modernization of the Convention. After a public consultation of stakeholders and institutions to update challenging areas in more need of modernization, the Committee of Ministers adopted the amending protocol to Convention 108 on 18 May 2018.