Date
May 12, 2021
 
Written by
Gary LaFever

New European Parliament Motion Urges Review of Data Protection Practices

The methods and purposes of data processing have changed dramatically over the past several decades

Ongoing technology developments make it easier to switch seamlessly from the primary purpose of data collection and processing to advanced secondary analytics, complex artificial intelligence (AI) and machine learning (ML).

As Big Data continues to advance using these technologies, data protection techniques must also evolve to keep pace. While the General Data Protection Regulation (GDPR) was a major step towards ensuring that organisations comply with required data protection obligations to respect data subjects’ fundamental rights, widespread non-compliance nearly three years on remains an issue.

The European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (LIBE) recently released a Motion for a Resolution that considers the current privacy law landscape, finding that the most popular Privacy Enhancing Technologies (PETs) do not provide adequate protection for popular Big Data use cases.

Moving beyond simple data protection

The LIBE Motion highlights that organisations can no longer rely on simple “data housekeeping” practices alone to satisfy data protection practices required by both the GDPR legislation and the Schrems II legal decision by the Court of Justice of the European Union enforcing GDPR requirements. However, the reality is that many companies are still focusing on simple data protection for primary data collection and processing and nothing more.

This approach does not satisfy legal requirements for secondary processing via analytics, AI and ML, all of which are becoming more persuasive each day and require a different lawful basis known as ‘legitimate interests’ processing. Indeed, LIBE highlights that legitimate interest processing is crucial for further Big Data development.

This requires a “balancing of interests” test to be satisfied, ensuring that the processing is done in a proportionate manner, and protects the rights of data subjects. Implementing appropriate and robust data protection methods can help tip the balance of this test in favour of the data controller. Still, without technical and organisational measures, this processing’s lawful basis is unlikely to be satisfied.

Critically, the LIBE noted the importance of data protection by design and by default for all processing, which cannot be satisfied by “data housekeeping” techniques alone. Data protection by design and by default requires technical and organisational measures to protect data both in the EU (as required by the GDPR) and outside of the EU (as confirmed by the Schrems II ruling regarding lawful secondary data processing and international data transfers).

Better approaches than Anonymisation?

One aspect of the LIBE’s Motion for Resolution that could be improved upon for modern Big Data processing is their focus on anonymisation. In today’s Big Data world, anonymisation is in many respects impossible to achieve as datasets can be combined from numerous sources, rendering attempts at anonymisation ineffective.

The more datasets out there, the higher the likelihood they can be combined to de-anonymise any given person. While the LIBE recommends that the European Data Protection Board create guidelines and “a list of unambiguous criteria to achieve anonymisation”, many do not believe anonymisation is even possible in today’s Big Data world.

Big Data secondary processing, sharing, and combining actually invalidates the architectural prerequisites relied upon by traditional PETs developed long before modern Big Data practices became commonplace. They rely on controlling the data, users, use cases, and transfer to limit the likelihood of unauthorised re-identification occurring – goals that are not realistically achievable in today’s Big Data world.

An alternative option: GDPR Pseudonymisation

It’s clear that new technical measures are necessary; and for guidance on what these should be we should look at the GDPR itself. Heightened requirements for Pseudonymisation are explicitly mentioned in the GDPR as a means to implement data protection by design and by default. GDPR Pseudonymisation is also recommended by the EDPB as a means to transfer data in compliance with Schrems II.

Schrems II raised the issue of lower protection standards in third countries such as the US, which brought about the invalidation of the Privacy Shield treaty. Given Schrems II’s requirements for global data transfers, techniques such as GDPR-compliant Pseudonymisation can protect data from surveillance in other countries.

The increasing shift towards Big Data processing and the accompanying necessity of data protection evolution highlights the importance of technical and organisational controls to ensure the processing of data without revealing identity except under authorised conditions.

The LIBE Motion explicitly highlights that organisations can no longer rely on “data housekeeping” practices alone, and so businesses must take action now and shift towards more effective data protection techniques to control Big Data use or else be at risk of serious financial penalties and reputational damage.

This article originally appeared in TECHNATIVE. All trademarks are the property of their respective owners. All rights reserved by the respective owners.

CLICK TO VIEW CURRENT NEWS