On Friday February 5, 2016, we attended the I Spy: Opportunities and Challenges Surrounding Privacy and Big Data conference organized by the Osgoode JD/MBA Students’ Association. Speakers from industry, government and private practice explored the challenge organizations face in maximizing insights from big data while maintaining a respect for individual privacy.
While we often see major privacy breaches as the subject of front-page news stories, most breaches are actually unknown and unregulated. As the promise of new insights drives business to collect and analyze more data than ever before, it will be more and more important for organizations and governments to develop frameworks for detecting privacy breaches and protecting individuals’ data. In her keynote address Dr. Ann Cavoukian, Executive Director of the Privacy and Big Data Institute, warned that a reactive approach to privacy protection has been failing. A reactive approach creates the potential for financial costs from class actions and regulatory penalties as well as damage to a company’s brand and the loss of consumer trust.
Dr. Cavoukian argued that, when it comes to privacy concerns, organizations should be proactive, focusing on identifying risks and imposing preventative measures to guard against privacy breaches. She discussed her solution; “Privacy by Design” (“PbD”), an approach to privacy that she developed as Ontario’s Information and Privacy Commissioner in the 1990s. It is based on seven pillars:
- Proactive, not reactive: PbD anticipates privacy risks and aims to prevent them, rather than resolve infractions after they have happened.
- Privacy as the default: Personal data should be automatically protected in all business systems. Individuals have to opt-in to having their information disclosed, as opposed to opt-out. If their personal data is going to be used for a purpose that differs from what they originally consented to, they must agree to that.
- Privacy Embedded in design: Privacy is a core tenant of IT systems in a business. It is not simply an after-the-fact addition.
- Full functionality: Dr. Cavoukian emphasized that privacy should not be seen as detracting from innovation. Privacy and the insights that can be gained from big data are not mutually exclusive. There can be a “positive sum” outcome whereby privacy is protected and innovation is fostered.
- Full lifecycle protection: Data is protected from the moment of collection to its eventual destruction. Data is securely collected, stored and destroyed.
- Visibility and transparency: Organizations’ adherence to privacy regulations are subject to independent verification. Stakeholders can verify that the relevant data is being treated appropriately.
- Respect for user privacy: The individual’s privacy is paramount. They are empowered to make choices about their own data.
While Dr. Cavoukian focused on the privacy aspect of big data, we also attended a panel on collecting and selling data where panelists discussed the challenge of protecting sensitive customer data while respectfully leveraging it to help inform business strategy. This is increasingly difficult as the approach to privacy protection evolves beyond an individual reading a privacy statement and checking a box. More companies are developing data stewardship roles to govern what data to collect, how to collect it, validate it, hold it, classify it, disseminate it and use it. As regulations and data collection methods evolve, businesses are faced with difficult questions including:
- What constitutes identifying information? Companies often adopt strategies to anonymize data to reduce privacy risks and facilitate the efficient use of collected data. The question for these companies is: What constitutes identifying information? If data can be linked to information that can be used to identify an individual, it is identifying. While name and street address are obvious identifiers, an IP address can also be used to identify an individual. It is often difficult to determine when data has been de-identified.
- What constitutes notice and consent? Under Canadian privacy law, consumers should be given notice of what their personal information will be used for and consent to that specific use. Privacy law in Canada is premised on the idea that personal data is collected for an identifiable purpose, which can be understood by the individual, allowing meaningful consent to be obtained by organizations. Big data challenges that premise in at least two ways. First, the uses of the information are difficult to articulate and understand. How can businesses ensure that individuals are able to understand exactly what their data is used for when the sophisticated statistical and technological methods of analysis are often incomprehensible for many leaders in the businesses themselves? Second, the analysis of data often reveals new opportunities for uses that may not have been contemplated at the time of collection. This is problematic because if a business collects information from individuals for a certain purpose but wishes to use it for a different purpose they are required by Canadian privacy law to obtain new consent from the individuals. Obtaining this new consent post-collection raises a host of operational issues. This issue arises frequently because the ultimate purposes of data collection is often not known until after the data has been collected and analyzed.
What we learned at the conference was that Big Data may be able to coexist with Big Privacy. The goal of privacy is not to eliminate the risk of data breaches but to reduce it. As the big data universe becomes increasingly important and complex, business may think of privacy not as stifling innovation but rather as driving innovators to think creatively, to advance strategic goals to better serve customers.
By Diego Beltran, McCarthy Tétrault’s CyberLex