Today, more and more devices and products are connected to the Internet and can be controlled remotely, such as televisions, watches, thermostats, washing machines and even lamps. Through analyses and applications of large data collections ("Big Data"), new insights can be gained about the use of these products, as well as their users. This triggers the question: How does Big Data relate to privacy?
Big Data is at odds with privacy laws for the following three reasons:
According to privacy law (since May 25, 2018, it is the General Data Protection Regulation, abbreviated to the AVG), you are required to collect as little and as short of personal data as possible (data minimization), whereas Big Data is all about collecting as much data as possible;
The Privacy Act states that personal data may not be used for purposes other than those for which it was collected (purpose limitation). Big Data is precisely about linking together as much data as possible to gain new insights. Thus, the exact purpose is often difficult to determine in advance; and
If the data processing is based on the data subject's consent, then the consent must have been freely given and the consent must also be revocable. If you have ever tried to refuse privacy conditions of a website or a product (for example, of a software update of your cell phone), then chances are that you could then no longer use the website or product at all. Free consent is then effectively non-existent.
Some companies have already found for themselves that new technology does not always go well with privacy.
For example, the company Bluetrace, which engages in "wifi tracking," was given an order under penalty by the privacy regulator Authority Persoonsgegevens because the company collected location data from store visitors and passersby without informing them in advance.
In addition, the company collected and stored more data than necessary for mapping visitor numbers. In doing so, Bluetrace acted in violation of privacy laws.
Two other companies had given their employees a smart bracelet (wearable) that gave the employer insight into the amount of exercise and sleep patterns of employees. The employer may, of course, give the bracelet as a gift, but it is not supposed to see data about employees' health, even if they give permission.
Indeed, given the dependent relationship, it is assumed that an employee cannot freely give consent. After the privacy regulator's investigation, the companies stopped keeping health records.
We can safely conclude that rapid technical developments are at odds with privacy law. And privacy law has become stricter under the AVG, compared to its predecessor Personal Data Protection Act (Wbp).
The AVG contains stricter rules, including for Big Data applications using profiling. In some situations it will be mandatory to conduct a Privacy Impact Assessment (PIA), for example before the introduction of new technology (such as new Big Data applications).
Soon, organizations will also have to be able to prove that they have obtained valid consent from data subjects. Tacit consent or the use of "pre-ticked boxes" will not count as consent. It must also be made easy to withdraw previously given consent.
Most organizations are already aware that the fines that can be imposed under the Regulation can be very hefty: the maximum fine is as much as 10 to 20 million Euros, or 2% to 4% of global annual turnover (whichever is higher), per violation.
So there is a very BIG reason to include privacy (AVG) from the beginning, in your consideration of applying Big Data for your business. This is extra important if the Big Data results can have (adverse) consequences for (certain) individuals, for example a higher price, exclusion or other negative outcome.
However, the main reason for "building" privacy into your business is NOT the potential risk of fines and penalties. The main reason should be protecting the privacy of your customers and employees, and only then protecting your reputation and avoiding high fines.
Without the trust of your customers and employees, eventually there won't be much left of your business either.
There is a BIG misconception that nothing more is allowed under the AVG. This is not true at all! There are still many opportunities for using Big Data (including personal data) for your business, if you really have legitimate reasons to do so. You just need to be transparent about it, document it well and communicate it well.
So the important question all organizations should ask themselves today is:
"How can I see privacy as a tool for my business, rather than a hindrance?"
This article can also be found in the Big Data dossier
