Big Data: Legal Challenges (Full Report)

"Big Data" immediately brings to mind privacy issues since much of the power of data analysis is in corporations understanding their customers better and providing a more personalised service.

There is also much discussion about government access to data and the impact of use of big data analysis by the state. The ability to anonymise data so that personal information is not associated with data is increasingly called into question as the computing power and disparate data sets available seem to allow routine identification of individuals from apparently anonymised data sets.

"Hiding in plain sight" or the belief that "no one would be interested in profiling me" is also not a realistic answer to the issue of appropriate uses for personal information in an age when so much information relevant to transactions, online behaviour, health, insurance, employment and security is routinely stored about individuals. There will come a time when beliefs about privacy are challenged for every individual.

"For average people like you and me, Big Data will provide countless new services and resources. It may even save our lives. But like all great advancements in human history, Big Data comes at a cost. Innumerable aspects of our lives - our habits, our moods, our medical histories, our personalities, our weakness and strengths, where we go, who we talk to, what we love and hate and fear - are all being amassed in nameless data centers around the world. This information may one day be used to assess whether or not you are good for a job, or a school, or whether you should have children. Companies and governments will surely know more about you and your future that you do. (In many ways, they already do.) So as Big Data gets even bigger, and the information squeezed out of it becomes more plentiful, profitable, and potent, we need to make sure this quickly moving tsunami of information doesn't drown us in its wake."71

An increasing awareness of the uses of information, and of data breaches, has made privacy law a topical area for law reform around the world. The laws are struggling to keep pace with technological change and the competing commercial and ethical issues at stake.

Many Australian and New Zealand businesses are under numerous obligations to protect the privacy of personal information in their possession belonging to other individuals. The Privacy Act 1988 governs privacy in Australia and imposes obligations on businesses with a turnover of more than $3 million72. Governmental agencies and businesses providing services to governmental agencies are also subject to privacy obligations. In New Zealand substantially similar obligations arise from the Privacy Act 1993, however whereas the turnover threshold limits the application of privacy law obligations in Australia, the New Zealand legislation governs almost all organisations.

The legal obligations in relation to personal information are similar in Australia and New Zealand and include duties not to use or disclose the information unless certain criteria are met73 and to take reasonable steps to protect such information from misuse or loss74. In Australia, National Privacy Principle 1 requires disclosure of the purpose for which information is collected at the time of collection. New Zealand Privacy Principle 3 similarly requires notice that personal information is being collected, the purpose of the collection and the intended recipients of the information.

In Australia there is a greater focus on restriction of transborder data flows75 which are not restricted by the New Zealand legislation.

Additionally in Australia, the Privacy Amendment (Enhancing Privacy Protection) Act 2012 ("Privacy Amendment Act") was passed on 29 November 2012 and when it comes into effect in March 2014, will place both public sector organisations and private businesses under significantly more stringent requirements contained in the new Australian Privacy Principles ("APPs") in relation to cross border data flow, and allow for the prospect of stronger sanctions if they do not comply. This is particularly relevant to corporations leveraging regional and global cloud technology services to better use their big data assets.

Under new APP5, if a company collects personal information and is likely to disclose such information to overseas recipients, it must provide notice at the time of collection of the countries in which such recipients are likely to be located. For Big Data sets, often located in the cloud, this requirement is likely to prove to comply with, given cloud providers are generally unwilling to nominate the location of their data centres.

Under the new APP8, before a company discloses personal information about an individual to a person who is not in Australia, it will be required to take reasonable steps to ensure that the overseas recipient does not breach the APPs, unless informed consent, with very specific requirements as to the information to be provided in order to obtain such consent, is obtained. Such a company will also remain liable in some circumstances for any breaches of the relevant APPs by the overseas recipient.

Since the Privacy Amendment Act refers to disclosure to overseas recipients (rather than being limited to actual data transfer overseas) these rules would appear to apply whenever the information becomes available to an overseas recipient (for example, to a remotely located user or member of a support team), even if storage of the data remains in Australia. An arguably "reasonable" step to ensure compliance with privacy law by a data recipient is to seek to place it under a contractual obligation to comply with such law. It also seems arguable that by placing data in an encrypted state or even by locking down data through access controls and password protection it may be possible to store data overseas but to not "disclose" it to an overseas recipient. This new principle may arguably be better suited to the needs of cloud users and those using offshore data storage or processing facilities in the cloud than the current NPP9 which is triggered by a "transfer" of information overseas not a "disclosure" of information. Any judicially tested construction of the APPs will take some time to emerge after the March 2014 introduction.

In both Australia and New Zealand the possibility of mandatory data breach notification laws is on the law reform agenda and it seems only a matter of time before both countries fall into line with the more stringent requirements in the United States and Europe in this regard. This will bring into focus the requirements to maintain adequate security measures to protect data and data owners without considered strategies for data management may expose themselves to the new penalty provisions in the Australian legislation. At the very least there will be damage to public trust in a data holding organisation arising from revelation of data breaches.

Key privacy issues for Australia and New Zealand entities amassing collections of information in data warehouses in include:

  1. knowing the purpose to which data will be put at the time of collection;
  2. determining how to bring these matters to the attention of individuals who are affected by the collection;
  3. allowing third party a ccess to data which is then used to identify an individual through an unanticipated linkage;
  4. considering the domestic law at the point of collection for those entities trading overseas, particularly in Europe;
  5. (particularly for Australian companies) issues associated with offshore data storage in foreign owned and located "clouds";
  6. how to maintain appropriate security and protection measures for the data; and
  7. how to manage deletion of personal information on request by an individual or when no longer needed.

These issues require a considered strategy in an age when the collection of ever-increasing sets of big data come with ever-increasing regulatory obligations. There is also a very real need for appropriate due diligence around the data assets of organisations in a mergers and acquisitions setting.

Related links

Footnotes

71Breaking down 'Big Data' and Internet in the age of variety, volume, and velocity, Andrew Couts, September 25, 2012: 10:00 2/4/2014 http://www.digitaltrends.com/web/state-of-the-web-big-data/
72See sections 6C and 6D, Privacy Act 1988
73National Privacy Principle 2, Australian
Privacy Act 1988; Information Privacy Principles 10 and 11, New Zealand Privacy Act 1993
74National Privacy Principle 4, Australian Privacy Act 1988; Information Privacy Principle 5, New Zealand Privacy Act 1993
75National Privacy Principle 9, Privacy Act 1988

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.