The Facebook data scandal involves alleged harvesting and misuse of personal data for improper purposes. The Facebook-Cambridge Analytica data scandal is a watershed moment that leaves many organizations wondering whether they can continue to collect, use and share personally identifying data for research/academic purposes and commercial/data analysis purposes.
The answer is “Yes.” Organizations can collect personally identifying data and use protected versions of that data for research and analysis if they embrace principles underlying the new EU General Data Protection Regulation (GDPR) - the most advanced regulation to protect data by default to avoid these types of disasters. Whether or not directly subject to the GDPR, organizations must now use the state of the art in data protection to retain and re-establish confidence with customers, partners, regulators and the general public to avoid a Facebook-like backlash.
Facebook allowed Cambridge Analytica to receive access to personally identifying data to perform analysis. This is where Facebook went wrong. The processing that Facebook authorized Cambridge Analytica to perform did not require personally identifying data. Had Facebook only provided Cambridge Analytica with non-identifying cohorts, groups or classes of Facebook related data, the authorized processing could have been completed without requiring access to identifying data.
GDPR officials recognize the value of correlations and relationships that may be revealed by data analysis, but not at the expense of abrogating fundamental rights of privacy. To balance data-driven innovation and privacy rights of individuals, the GDPR introduces the following two new concepts - “Pseudonymisation” and “Data Protection by Design and by Default.”
The Facebook data scandal highlights the fact that data uses are getting bigger and so are privacy concerns. Organizations must adopt new state of the art data protection technology introduced under the GDPR. Pseudonymisation and Data Protection by Design and by Default represent the state-of-art for balancing the goals of data-driven innovation and preservation of privacy. For information on how Anonos’ patented BigPrivacy technology uniquely enforces GDPR state-of-the-art data protection principles to enable compliant collection, use and sharing of personally identifying data for research and analytics. See recent blog article: 5 Steps To Enable Compliant Analytics.
******
The European Commission Directorate‑General for Communications Networks, Content and Technology (DG CONNECT) is the department responsible for both data innovation and data protection. A DG CONNECT official summarised a March 23, 2018 meeting with Anonos as follows:
I had previously seen three avenues to doing data-driven innovation with personal data in a privacy compliant manner. First, you may secure the consent of a person. Second, you may find a use case where anonymized/generalized data are "just good enough," and you can prove that your method of anonymization or generalization works to prevent re-linking of data to individuals. Third, you may hope that emerging technologies for privacy-preserving analytics like multi-party computing or homomorphic encryption could help you achieve your goal. But, we have learned today that there is a new way - Anonos has introduced us to a distinct different fourth approach which is BigPrivacy dynamic pseudonymisation technology.