Big Data Will Turn Privacy Upside Down
Article on May 07, 2013
This post by Jon Neiditz is part of our ongoing series of contributed content. Reprinted with permission - you can read the full article here: Big Data Will Turn Privacy Upside Down in a Way that Will Put New Burdens on Cloud Providers, and Individuals May Turn Big Data Upside Down
Privacy scholars and practitioners the world over have now noted that the current regulation of privacy simply does not work well in a big data world. Thus to the extent that they are openly welcoming or at least acknowledging the inevitability of such a world, many of them (us) are beginning to seek new approaches. Among the major concerns regarding the application of current privacy law to big data are the following:
If big data leads us to (a) give up on data minimization and destruction as soon as the primary use has been completed, (b) limits reliance on complete alienation of rights based on an initial notice and consent, and (c) undermines to some extent reliance on the effectiveness of de-identification, then the protection of privacy must have what are called in information security “compensating controls.” Those controls are particularly important to emphasize here, because in my view they go to the very heart of using cloud computing in big data:
These new professionals would be experts in the areas of computer science, mathematics, and statistics; they would act as reviewers of big-data analyses and predictions. Algorithmists would take a vow of impartiality and confidentiality, much as accountants and certain other professionals do now. They would evaluate the selection of data sources, the choice of analytical and predictive tools, including algorithms and models, and the interpretation of results.
These two “compensating controls” — as substitutes for the more traditional privacy regulatory requirements at the beginning of this section — would put a great deal of regulatory and auditing pressure on both big data firms and cloud providers to become both less messy and more transparent.
A third force that would have a similar impact might come from Europe in the next year. Among the sets of ideas under consideration in the transformation of European data protection regulation that is now underway are many that would put more power in the hands of individuals. In the US, Tene and Polonetsky made the case for such a shift in control in a popular paper, and Rubinstein extended their thinking, incorporating Doc Searls’ work on Vendor Relations Management (VRM). If the European Union proceeds in this direction, it will render the creation of aggregators that lower transactional costs likely, opening the door to individuals to play an active role in the big data economy. And where would individuals store their big data, but in their “personal clouds” that many of them already have and others will soon given the consumerism of IT?
One way or another, value will be delivered to the individual as an individual, thanks to big data. The question as between an American approach and a European approach may be how much the individual will be consciously involved in the creation of that value.
 For two good looks at where big data may lead privacy regulation, see,Christopher Kuner, Fred H. Cate, Christopher Millard and Dan Jerker B. Svantesson, The challenge of ‘big data’ for data protection, Oxford Journal of International Data Privacy Law, Volume 2, Issue 2, (Pp. 47-49) and Ira Rubinstein, “Big Data: The End of Privacy or a New Beginning,” International Data Privacy Law (2013)
But see, Ann Cavoukian & Khaled El Emam, Info. & Privacy Comm’r of Ont., Dispelling the Myths Surrounding De-identification: Anonymization Remains a Strong Tool for Protecting Privacy 7 (2011), available athttp://www.ipc.on.ca/images/Resources/anonymization.pdf.
 Mayer-Schonberger and Cukier, op cit., pp. 172-184.
 Ibid., pp. 179-182.
 Omer Tene and Jules Polonetsky, ‘Big Data for All: Privacy and User Control in the Age of Analytics,’ (forthcoming) Northwestern Journal of Technology and Intellectual Property.
 Rubinstein, op. cit., at p.8.