Blog

Date
September 11, 2017
 
Written by
Gary LaFever
2 Alternatives to Consent for Big Data Analytics Under the GDPR

2 Alternatives to Consent for Big Data Analytics Under the GDPR

Under EU law, the right of “Protection of Personal Data” is an inalienable fundamental right that an individual cannot contract (or consent) away. Before the GDPR, having access to data was tantamount to having legal right to use the data. When the data was captured, individuals about whom the information pertains were asked to provide broad-based consent authorizing the party collecting the data to make essentially any desired use of the data. As a result, securing legal rights to process data was relatively easy – too easy.

Before the GDPR, privacy was protected primarily using written contracts, “click-through” agreements and Terms of Service (“TOS”) that set forth what organizations would be authorized to do, or not do, with data. However, reliance on non-technical, non-preventive, policy-based measures placed the risk for inadequate data protection on data subjects, due to limited recourse against data controllers and data processors for privacy violations. The GDPR now restricts the scope of rights that an individual can convey to any third party. To enforce the inalienable fundamental right of “Protection of Personal Data,” the GDPR now limits the degree to which consent can be granted and relied upon as a legal basis for processing data. GDPR Article 4(11) defines consent as: “consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”

To legally process personal data, an organization must satisfy at least one of the six legal bases outlined in GDPR Article 6 for lawful data use:

  • Consent: Article 6(1)(a) authorizes the use of data with respect which “the data subject has given consent to the processing of his or her personal data for one or more specific purposes.” Big data analytics, artificial intelligence, and machine learning often involve iterative processing in which the nature of subsequent calculations, analyses and evaluations are not known until the result of initial calculations, analyses and evaluations are completed. As a result, the more restrictive GDPR definition of “consent” no longer provides legal rights to use data for these purposes.
  • Contract: Article 6(1)(b) authorizes the use of data with respect which “processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.” This right to data use has been narrowly construed to encompass only that data necessary to perform a contract and does not extend to other uses of data that are ancillary to, or complementary with, the specific requirements to fulfill a contract.
  • Controller Legal Obligation: Article 6(1)(c) authorizes the use of data with respect which “processing is necessary for compliance with a legal obligation to which the controller is subject.” This legal basis does not authorize the type of data processing in question.
  • Data Subject Vital Interest: Article 6(1)(d) authorizes the use of data with respect which “processing is necessary in order to protect the vital interests of the data subject or of another natural person.” This legal basis does not authorize the type of data processing in question.
  • Public Interest: Article 6(1)(e) authorizes the use of data with respect which “processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.” Given the limitations of legal bases (a) and (b), and inapplicability of legal bases (c) and (d), as available legal bases to support big data analytics, artificial intelligence and machine learning, this legal basis (e) becomes critical to the ability to legally process data.
  • Legitimate Interest: Article 6(1)(f) authorizes the use of data with respect which “processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.” Given the limitations of legal bases (a) and (b), and inapplicability of legal bases (c) and (d), as available legal bases to support big data analytics, artificial intelligence and machine learning, this legal basis (f) becomes critical to the ability to legally process data.

The restrictions explicit in the above enumerated legal bases required to support lawful big data analytics, artificial intelligence (AI) and machine learning, highlight the critical importance of satisfying requirements for Public Interest and Legitimate Interest. Anonos BigPrivacy first-of-its-kind patented technology uniquely enables data controllers and processors to satisfy requirements for Public Interest and Legitimate Interest as legal bases for lawful processing of big data analytics, artificial intelligence, and machine learning using EU personal data.