Category Archives: Enforcement

Big Data Ecosystem, Fairness and Enforcement

Big data has become an increasingly scary phrase for all stakeholders in data protection. For privacy advocates, it often means loss of control, asymmetrical power and hidden discrimination. For regulators, it often means regulatory round pegs in operational holes of different sizes, in constantly moving locations, with mismatches that begin with vocabulary. For companies, it often means uncertainties at every dimension, with regulatory uncertainty just one of the most visible.

Over the past two weeks, I had the honour of participating in a roundtable discussion on big data and enforcement co-hosted by the European Data Protection Supervisor (EDPS) and the Bureau Européen des Unions de Consommateurs (BEUC), the European-wide consumer organisation, and in the Privacy Commissioner of Canada’s first stakeholder meeting on consent and its alternatives. In both cases, the room was full of very smart people, trying to figure out how to enforce consumer and human rights in an environment of more touch points, data, math and applications. After spending nine years trying to figure out how to legitimately utilise the knowledge and productivity that is associated with big data, while still maintaining a space where individuals are not completely defined by their digital tracks, I am increasingly frustrated by the confusion of data with processing. Clarity is necessary since big data processes are needed to foster the full range of fundamental rights as well as economic growth. Big data done badly raises issues for all parties. Progress requires breaking the issues apart so they may be fully understood. Thinking about big data as an ecosystem has been helpful to me.

First, big data and humongous amounts of data are not the same thing. Nor is big data the same as faster, more detailed and more diverse data. Rather, big data is the process by which humongous amounts of data, coming from various, often unstructured sources, are brought together to generate insights and increase the efficiency of processes. When I say efficiency, I am not making a value judgement. The efficiency may improve healthcare or facilitate unfair practices. Either way, efficiency constitutes the goal.

Second, big data is advanced math conducted on very powerful systems. Some of that math and processing is world class while some processing is mediocre at best. The quality of the knowledge created is directly proportional to the skills of the of data scientists and programmers.

Lastly, knowledge may be applied in a manner that is legal, fair and just, or it may not be applied in such a manner.

I suggest that for all parties to have a sense of how to approach control of a big data ecosystem, big data might be looked at in the following manner:

  • A Means to Observe: Big data is feed by observational data. Observational data is data that comes from all circumstances where behaviour may be observed. The speed has picked up with smart phones and will continue to accelerate with the Internet of Things, smart cars and even smart medicine. The observation itself is becoming increasingly necessary for things and systems to work. For example, mobile phones cannot operate unless their locations are constantly observed, and smart brakes are not effective if their use is not monitored. Unlike traditional collection concepts, observation requires a governance layer that goes beyond individual control.
  • A Means to Gain Knowledge: Data must be brought together, be prepared for processing and then run against advanced analytic processes in order to generate knowledge. Often this means interim steps where questions are refined by the correlations from the last step. Data must be matched again and again. Questions of obscurity to protect individuals come up against accuracy to, in the end, protect individuals.
  • A Means to Apply Knowledge: Once one has knowledge, one needs to decide whether the knowledge makes sense, is applicable, is legal, fair and just. None of these decisions should be made in a vacuum. They are based on the law, commitments made, and societal standards. What makes sense in one context, may not make sense in another context.

Too often, when discussing big data, participants jump from one part of the ecosystem to the next and the next without considering the analysis which is necessary for each part. The IAF has separated “thinking with data” – the means to gain knowledge – and “acting with data” – the means to apply knowledge in developing assessment processes. (For more information, see overview of IAF Big Data Initiative.) Also, the IAF made the case that policy governance needs to be tied to data’s origin in “The Origins of Personal Data and its Implications for Governance” written for an OECD 2014 discussion on data taxonomy. I believe the data taxonomy work, particularly as it relates to the IoT, needs to be revisited and better integrated with ongoing work on big data governance.

In late September, I blogged about the re-establishment of the accountability dialog. (Link to the blog post.) I hope that dialog will encourage discussion on how the three means view of a big data ecosystem might be taken.

Avoiding Huge Data Protection Fines Means Starting Now

The 34-month countdown has begun to data protection fines that are so material they will require SEC disclosure. A good friend, who is also an experienced data protection professional, predicts that fines will come before wide adoption of demonstrable comprehensive privacy programmes. If she is right, that will have significant impact on businesses, individuals and… Continue Reading

Data Protection is About Right and Wrong

“Ethics has no place in data protection,” an audience member stated during a side event held at the 37th International Conference of Data Protection and Privacy Commissioners (“International Conference”). Although the conference ended last week, I have been mulling over this statement ever since. When I and other privacy professionals began the Global Accountability Dialogue in… Continue Reading

Data Management Ethics in an Observational World

Data ethics is more than data minimisation and purpose limitation. If it was not more, big data governance would be easy. But it is not easy. Giovanni Buttarelli, European Data Protection Supervisor, heightened the big data governance debate last Friday, 11 September, when he issued opinion 4/2015, “Towards a new digital ethics.” In the paper,… Continue Reading

IAF Will Hold Event at 37th International Privacy Conference

The Information Accountability Foundation will host a side event entitled “Data Stewardship for a 21st Century Data-Driven World: Ethical Big Data Assessment, Holistic Governance Beyond Big Data and Enforcement Models” at the 37th International Data Protection and Privacy Commissioners Conference. The discussion will be held on 29 October during 16:00 – 18:00. Following the meeting,… Continue Reading

Data Protection Agency Key Issue in Brazil

The agency (or agencies) that will enforce any new data protection law in Brazil is an unsettled issue. The Justice Ministry draft legislation discusses activities and duties for an agency, but it never discusses the agency itself. A clear lesson from more than 40 years of data protection is that agency structure matters. Is the… Continue Reading

Research Definition and Big Data Legitimacy

Data scientists use diverse data sets, typically gathered for other purposes, to discover new insights through the unexpected correlations between the data. Is that process research? That may be the key question in determining whether the repurposing of data is compatible or within context. Compatibility is a key question to determine whether a big data… Continue Reading

IAF Workshop Examines Big Data Regulation and Enforcement

29 April. The IAF’s Big Data Ethics Initiative took another step forward in Madrid with a workshop to explore enforcements for assessment models. The IAF thanks the Spanish Data Protection Agency (Agencia Española de Protección de Datos) for hosting the workshop. The meeting involved the active participation of five enforcement agencies, five companies and three… Continue Reading

CPDP 2015: Accountable Organisations Deserve Benefits from Regulators.

Chair: Marty Abrams, Information Accountability Foundation (US)pror Moderator: Colin Bennett, Victoria University (CA) Panel: Christopher Docksey, EDPS (EU), Terry McQuay, Nymity (BE), Michael Scuvée, Johnson Controls (BE), Scott Taylor, Hewlett Packard (US) Overview: Several interrelated forces have emerged making the conditions perfect for an accountability approach to demonstrating compliance and moving beyond the compliance checklist.… Continue Reading