"More intrusive" big data profiling would be subject to new two-tier privacy rules, says expert

Out-Law News | 30 May 2013 | 10:17 am | 2 min. read

Big data projects that build profiles of individuals would "almost certainly" trigger privacy rules and safeguards proposed by an EU watchdog, an expert has said.

The proposed rules will only apply when activities "significantly affect" an individual's rights. Data protection expert Kathryn Wynn of Pinsent Masons, the law firm behind Out-Law.com, said that this would almost always be the case for big data projects, which have allowed profiling to become "more intrusive".

Earlier this week the Article 29 Working Party said that a new two-tiered regulatory regime should apply to the issue of 'profiling' under a reformed new EU data protection law framework.

The Working Party said that set rules and safeguards should apply when businesses engage in personal data processing for profiling purposes only where such profiling "significantly affect[s]" the rights of individuals. This means that organisations would need the individual's consent or would have to be able to rely on other limited lawful grounds for processing.

In these cases individuals should also ensure that individuals are provided with information about how their details are "used in the context of profiling" and should be able to access, modify or delete profiling information businesses have built up about them, the Working Party said. Companies should be incentivised, if not obligated, to anonymise or pseudonymise personal data they process when profiling, it said.

When profiling does not "significantly affect" the individual's rights, the specific rules and safeguards should not apply, it said. Instead, the processing would be deemed legitimate providing more general data protection rules were observed and details could be processed without an individual's consent.

Data protection law expert Kathryn Wynn of Pinsent Masons, the law firm behind Out-Law.com, said that businesses engaged in 'big data' projects would generally find that they would trigger the 'significant affect' threshold. Big data projects use computers to assess massive amounts of data, often to learn more about people or groups of people and their behaviour.

"Before the big data 'boom' profiling did not have such a high value attached to it as it was hardly ever able to reveal insightful information about individuals," Wynn said. "Instead profiling was generally used to identifying trends among groups of people. However, the advent of big data has seen companies become able to record much more granular information about their customers using much more sophisticated technology to analyse that information."

"As a result companies are able to utilise the combination of more granular data and better data analysis to produce information of particular value to them – information that can identify individuals and their behaviours. This information can help firms to better target their marketing of products, reducing the cost of sale and increasing the conversion rate, for example," Wynn said.

"A consequence of this is that profiling has naturally become more intrusive. As a result almost all companies involved in big data projects that involve the profiling of individuals would find themselves falling within the 'significant affect' threshold that the Working Party has proposed. Those companies would have to consider whether it would be worth complying with the more stringent data protection requirements that the Working Party has proposed in order to tap into more valuable data, or contend themselves with profiling on a more generic scale that would be more likely to fall outside the scope of the specific profiling rules," she added.