Just because you have it — or have access to it — doesn’t mean that you should use it.
(Especially if “it” is personal data from the good citizens of Europe, as European privacy laws are different (and stricter) than those in the United States.)
Blog post by David Snead in The WHIR.
Emphasis in red added by me.
Brian Wood, VP Marketing
A Lawyer’s Perspective on Big Data
The goal of this blog post is to help you understand Big Data from a legal perspective. To do this, you need to look at Big Data as I do. Thinking like a lawyer will help you identify and appreciate issues that are crucial to your business.
Data ownership and privacy
Individuals and corporations often place a high value on their ownership interest in information. That sense of ownership — the feeling that some data is public information while other data must remain private — is the starting point in your analysis of data from a legal perspective. Private data, as used here, refers to data that is kept strictly confidential. Public data, on the other hand, refers not just to data that is fully disclosed to the public (information that appears on a website, for instance) but also to data that is disclosed, or partially disclosed, under specific circumstances to a limited audience.
Privacy law tends to draw bright lines that separate public data from private data. That legal distinction creates challenges regarding disclosure of big data because, in the real world, the distinction between public and private is not always clear. To begin to learn the legal issues involved in a big data transaction, you must learn to translate the legal distinction into a real world distinction between what is public and what is private.
The distinction, at least initially, is figuring out who originated the data: the initial owner of the information (for instance, a person who fills out a Facebook profile). Determining who might have an ownership claim in the data that is the subject of your analysis will help you identify who you might be required to contact, or analyze, in order to figure out their expectation of privacy in the data.
Identifying the players
To figure out who might have an expectation of privacy in a particular set of data, you need to understand who the players in a big data transaction are. There are typically four sets of players.
The first is generally understood: the originators of the data – or the person or entity who initially contributed the data itself.
The second sets of players are the data collectors. They are the individuals, businesses, or institutions responsible for gathering the data. It is important to understand why the data was collected and what expectations they had about the way the data they collected would be used.
The third sets of players are the data processors. They are data brokers or analysts who seek to order the data and to gain specific knowledge from it. They apply computing power to add value to the data. This is the stage of the process in which legal issues typically begin to arise.
The final sets of players are the end users of the data. They are the customers of the data brokers who intend to make a specific use of the data that has been collected and processed.
Expectations of privacy
The first legal concern that usually arises is privacy. Once you understand who the players are, and what their possible ownership interests are, you can begin to look at privacy issues. People and businesses might expect at least some of the information they provide to a data collector to remain private. Or they might not expect that a data processor will acquire and make use of that information. Court decisions have identified two factors that indicate whether an expectation of privacy in information is reasonable: (i) the likelihood that the information will be discovered; and (ii) the likelihood of discovery by a third party with bad intentions.
The next step after you analyze whether steps were taken to keep information from being discovered is to determine whether it can be discovered by a party with bad intentions. This analysis is more difficult, and more technical than the first. In this case, you will look at things like security strategies and policies, steps taken to protect the data from breach or accidental disclosure, and contractual restrictions that are placed around the data like non-disclosure agreements.
Once you engage in this general analysis, you can begin to ask specific questions that will help you focus on the broader issue of expectations of privacy.
Although court decisions have not been entirely consistent, they have tended to resolve issues involving the disclosure of data that a user considers to be private by asking these questions:
- Was the information known to a limited group of people? If so, was it unlikely to be spread beyond that social group?
- Does the expectation of privacy become unreasonable when an individual shares information with others, knowing there is a risk that the information might be spread to third parties?
- Was the disclosure inadvertent or involuntary?
- Was the information acquired by means of overzealous surveillance in public places?
Violations of a reasonable expectation of privacy can result in civil liability. The two tort actions that generally arise from a misuse of private data are disclosure of private facts and intrusion on seclusion. The next blog post explains how these privacy concerns, and related concerns about liability, influence negotiation and drafting of “big data” contracts.