Protection of personal data in a business context
26
MK99 – Big Data 1 Big data & cross-platform analytics MOOC lectures Pr. Clement Levallois
-
Upload
clement-levallois -
Category
Business
-
view
571 -
download
0
description
Slides of the course on big data by Clement Levallois from EMLYON Business School. For business students. Check the online video connected with these slides. -> Basic concepts relating to the protection of personal data in the EU and in China, USA, India and Russia: what are the legal frameworks and what is expected from businesses.
Transcript of Protection of personal data in a business context
MK99 – Big Data 1
Big data &
cross-platform analytics MOOC lectures Pr. Clement Levallois
MK99 – Big Data 2
Protection of Personal Data in a Business Context
MK99 – Big Data 3
Preliminary distinctions to be made
(1) Recognized as a creation of the mind?
This piece of data in my organization
(2) Recognized as personal data
Neither (1) nor (2)
Intellectual property rights apply
Personal data protection applies
Open data is possible
TOPIC FOR TODAY
(3) In all cases: concern for cyber security applies
MK99 – Big Data 4
What is “the data” we talk about?
• Information to be processed automatically – Hint: data on computers, not unstructured written notes
• Or intended to be processed automatically – Hint: paper records to be fed in a computer, not any pile of paper
• Or structured information that can be used to facilitate the retrieval of specific information on specific individuals – Hint: paper records, filing systems
MK99 – Big Data 5
What can go wrong? • Users can be stripped of their right to privacy
• Companies big and small can be prosecuted
– February 2014: Google condemned to 150,000 euros fine by CNIL and to 900,000 euros fine by the Spanish Data Protection Authority
– https://gigaom.com/2014/02/07/google-must-post-news-of-privacy-fine-after-french-court-refuses-to-suspend-order/
– 15 July 2014: The owner of a marketing company trading as Vintels has been prosecuted for failing to notify the ICO of changes to his notification at Willesden Magistrates Court today. Jayesh Shah was fined £4000, ordered to pay costs of £2703 and a £400 victim surcharge.
– http://ico.org.uk/enforcement/prosecutions
(but the amounts are not powerful deterrents?)
MK99 – Big Data 6
EU: the most restrictive legal framework
• Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data
• To guarantee and facilitate the free movement of personal data across EU States.
• No right to export personal to a non EU-country with a lower level of personal data protection.
MK99 – Big Data 7
Who is in charge of data protection?
• EU Directive of 1995 distinguishes between – Data controller
• The one in charge of setting up the data protection policy. • Ex: in the UK, the DC is in charge of declaring the personal
data being processed to the ICO register. • See for instance: http://ico.org.uk/ESDWebPages/DoSearch?reg=498470
– Data processor
• The one in charge of implementing the policy
MK99 – Big Data 8
What is personal data
• Personal data relates to a living individual who can be identified:
• (a) from those data, or
• (b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller,
• and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.
MK99 – Big Data 9
What is personal data • France – National Commission on Informatics and Liberties (CNIL)
– Data which relates directly or indirectly to an individual
who is or can be identified from this data
– To know if a person can be identified from the data, one should consider all means available to the agents holding the data, or to anyone else.
– Datasets must be declared to the CNIL, by law.
MK99 – Big Data 10
U.S.A. • Framework on data protection for data collected / held by the
Federal government
• But no general framework on data protection outside the Fed. gov
• Safe Harbor Act – Managed by the Federal Trade Commission – Reason: EU orgs can’t transfer EU data to the US because US is less
protective than the EU – US companies joining the SH Act voluntarily comply to the spirit of the
EU directive
MK99 – Big Data 11
India • IT Act of 2000 + IT Rules 2011 • Focus on sensitive personal information
– Passwords – Financial information – Health condition – Sexual orientation – Biometric information
• No need to declare data processing activities to an authority
MK99 – Big Data 12
China • Not enacted a single piece of legislation for the
protection of data – Except for general laws: National People’s Congress Standing Committee Decision concerning
Strengthening Network Information Protection (http://tinyurl.com/npcdecision)
• Rather, sector based pieces of legislation – Such as: Regulation on Personal Information
Protection of Telecom and Internet Users (MIIT Regulation) (http://tinyurl.com/miitdecision)
MK99 – Big Data 13
Brazil • Data privacy regulations
– Made of the Brazilian constitution, the civil code, the Brazilian consumer protection and defense code
• Notion of “Habeas data”, in reference to the Habeas Corpus.
– The right for individual to access and edit their personal information in public and consumer databases, even after their consent has been granted
• No privacy regulation authority
MK99 – Big Data 14
Russia • Sensitive data (relating to race, politics, etc.) requires
consent in written form before processing
• A processor of personal data must notify the Federal Service for Supervision of Communications, Information Technologies and Mass Media (Roskomnadzor) before it begins to process personal data
• No specific regulations on cookies
MK99 – Big Data 15
Basic principles 1. Consent: users must give their approval on sharing their data
2. Adequacy: data is collected for the purposes stated, not more, not
for a longer duration
3. Transparency: under the control of the user (view / edit / delete)
4. Safety: reasonable procedures should be in place to insure points 1 to 3 are applied, and to make sure the data is secure.
MK99 – Big Data 16
Consent • Prior consent is required before collecting
personal data in view of processing it – Data collection policy should be made
clearly available to users – Opt out should be possible – Consent should be presented clearly (as in
the new EU regulation)
• Some exemptions: cookies used to deliver
the core service delivered to the user (session cookies, purchase basket cookies…)
• Bear in mind that cookies are just one kind of many tracers to identify users
MK99 – Big Data 17
Adequacy • Websites, mobile apps and
social media logins should ask for permissions exactly necessary to run the service, not more
• Time out: information should be deleted when service stops – in France, there is a 13 month
limit after which consent must be renewed
MK99 – Big Data 18
Transparency • Information should
be available on request – In 2011, an Austrian
student requested all his Facebook data. He got 1,200 pages of it.
– As of 2014, you can download all your FB data in one click.
• Users should be able to edit, update, delete their information -> See European ruling on “Right to be forgotten”
MK99 – Big Data 19
Safety • All reasonable precautions should be taken against data breaches.
• Precautions taken should be scaled to the damage which would
result from a breach in security
• Basics: define and manage access rights to each relevant aspects of the data.
• Users should be told about security breaches potentially affecting their data
MK99 – Big Data 20
Where big data changes the deal
• One dataset in itself does not always reveal personal information. However:
several datasets combined, + use of data mining techniques,
+ knowledge of the domain,
+ hacker approach (clever guesses etc.)
= identification often possible
Big data
MK99 – Big Data 21
Harvard Researchers Accused of Breaching Students' Privacy
• 1.2 million Facebook accounts from 4 different Universities collected by a Harvard research team
• Little info on each account (age, gender…), all anonymized
• But… tracing who befriends whom + demographics info can de-anonymize the dataset
Source: http://chronicle.com/article/Harvards-Privacy-Meltdown/128166/
“One issue, Mr. Zimmer says, is that someone might be able to figure out individual students' identities. People with unique characteristics could be discovered on the basis of what the Harvard group published about them. (For example, the original code book lists just three students from Utah.) “He's right about how easy it is to identify people who are presumably part of the data set. By searching a Facebook group of Harvard's Class of 2009, a Chronicle reporter quickly tracked down one of those three Utah students. Her name is Sarah M. Ashburn. The 24-year-old is in Haiti working for a foundation that helps AIDS victims.”
MK99 – Big Data 22
London’s bike-share program unwittingly revealed its cyclists’ movements for the world to see
“Those are journeys made between 4am and 10am [by a single bike-share user]. They head in one direction: towards King’s Cross (in fact, to the only cycle docking station near the Guardian’s headquarters). And they come from two places, suggesting this person spends the night at a location that is not home.”
Source: http://qz.com/199209/londons-bike-share-program-unwittingly-revealed-its-cyclists-movements-for-the-world-to-see/
MK99 – Big Data 23
Riding with the Stars: Passenger Privacy in the NYC Taxicab Dataset
Source: http://research.neustar.biz/2014/09/15/riding-with-the-stars-passenger-privacy-in-the-nyc-taxicab-dataset/
Bradley Cooper Jessica Alba
“In Brad Cooper’s case, we now know that his cab took him to Greenwich Village, possibly to have dinner at Melibea, and that he paid $10.50, with no recorded tip.”
MK99 – Big Data 24
Best practices for data protection in a big data world
• Basic rule: this is not because users granted access to different pieces of data that they granted rights to access / dissemination to all the personal information that can be reconstructed from it.
• Beware access rights to geolocalized, network, timestamped and textual data – All are very informative even when anonymized, especially when crossed
together.
• Beware the long tail – While very common profiles (“average joe”) might be hard to identify in a
dataset, odd profiles stand out easily and might be put at risk of being de-anonymized.
MK99 – Big Data 25
Last note: data protection in a post-Snowden world
• Assumption: your national state and surely others have access to the servers and communications of organizations.
• If not, states can issue legal injunctions to organizations to deliver private information.
• This means that data protection for individuals, by companies, has limits: it is not free from state surveillance.
• Except… for companies that put personal data protection at the heart of their business model? Snowden cites https://spideroak.com/ as an example.
July 2014: Snowden on data privacy, technology, cloud companies and more.
MK99 – Big Data 26
This slide presentation is part of a course offered by EMLYON Business School (www.em-lyon.com)
Contact Clement Levallois (levallois [at] em-lyon.com) for more information.
