Big Data: Ethics and Law
Almost every second, each one of us produces new data whenever we use mobile phones, laptops or cars, whenever we are recorded by public cameras, and whenever we stream music, use social media sites or book tickets. The volume of data generated every minute and its growth rates are gigantic. Big Data analytics can reveal hidden patterns or correlations in the mass of raw data, enabling it to be transformed into information and then into contextualized knowledge to solve a particular problem.
But who owns the captured data? Are they not of a private nature? Have individuals given their explicit consent to data being used for specific purposes? My recently published paper, “Big Data: Ethics and Law,” describes how personal profiling and predictive behavioural analysis done by Big Data applications, both in the private and government sectors, pose immense challenges to society and democracy, especially when they violate individuals’ fundamental rights, such as the rights to privacy and data protection, or the right to non-discrimination based on personal attributes. At the same time, Big Data applications threaten the basic ethical principles needed in a democratic society, such as fairness and respect for human autonomy.
An analysis of European data protection laws (General Data Protection Regulation - GDPR, ePrivacy, Digital Content, Copyright and Trade Secrets) shows far-reaching gaps in the protection of privacy and the non-discrimination of individuals. Like most data protection laws, the EU’s rules still rely on the idea that personal data is static and can be classified as sensitive data, private data, anonymous data, non-identifying information, metadata, etc.. However, the reality of Big Data is different and relies on a dynamic use of that data. When different data sets are skilfully combined, and have a sufficient correlation with sensitive personal data as defined in the GDPR, a person can be easily identified and tracked at any time. Their data can be de-anonymized at any moment and easily re-anonymized at another.
Governments and legislators have a clear requirement to close these gaps as quickly and comprehensively as possible. However, this is not an easy task and requires a fundamental departure from the idea of protecting the privacy of individuals by restricting the use of personal, sensitive input data. Instead of putting the focus on the input data, legislatures should focus on the outcome of data processing, understood here as inferences or decisions, regardless of the type of data informing them. Under a human-centered approach, data protection is needed to protect the privacy of individuals regardless of the technology being used for data processing.
I propose a three-pillared model for the future regulation of Big Data applications, covering three areas of action:
Firstly, a fundamental reorientation of the concept of digital identity towards individuals controlling their own private data. According to this, the individual would become the owner of his or her own personal data and thus be able to decide sovereignly with whom to share which data, for which purposes, and over which time period.
Secondly, the empowerment of individuals as sovereigns of their own data must be accompanied by a comprehensive education and training program at all levels of society. Through knowledge and training, individuals must be able to use the opportunity to determine for themselves how their information is used and, at the same time, be able to bear the associated risks.
Thirdly, regulators themselves will need to use so called “legal-tech” solutions to automate the testing and monitoring of Big Data’s compliance with privacy protection and non-discrimination regulations. The static instruments of the "old legal world", such as written law and simple bans on the use of sensitive data, will have to evolve with the use of intelligent algorithms, written in cooperation with IT experts. For this purpose, the legislators face the challenge of implementing the legal principles formulated in written laws into software code.
Rainer Lenz - University of Applied Sciences Bielefeld, Germany