Gary LaFever | September 11, 2017

2 Alternatives to Consent for Big Data Analytics Under the GDPR

Anonos_GDPR_Consent.jpg

Under EU law, the right of “Protection of Personal Data” is an inalienable fundamental right that an individual cannot contract (or consent) away. Before the GDPR, having access to data was tantamount to having legal right to use the data. When the data was captured, individuals about whom the information pertains were asked to provide broad-based consent authorizing the party collecting the data to make essentially any desired use of the data. As a result, securing legal rights to process data was relatively easy – too easy.

Before the GDPR, privacy was protected primarily using written contracts, “click-through” agreements and Terms of Service (“TOS”) that set forth what organizations would be authorized to do, or not do, with data. However, reliance on non-technical, non-preventive, policy-based measures placed the risk for inadequate data protection on data subjects, due to limited recourse against data controllers and data processors for privacy violations. The GDPR now restricts the scope of rights that an individual can convey to any third party. To enforce the inalienable fundamental right of “Protection of Personal Data,” the GDPR now limits the degree to which consent can be granted and relied upon as a legal basis for processing data. GDPR Article 4(11) defines consent as: “consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”

To legally process personal data, an organization must satisfy at least one of the six legal bases outlined in GDPR Article 6 for lawful data use:

  • Consent: Article 6(1)(a) authorizes the use of data with respect which “the data subject has given consent to the processing of his or her personal data for one or more specific purposes.” Big data analytics, artificial intelligence, and machine learning often involve iterative processing in which the nature of subsequent calculations, analyses and evaluations are not known until the result of initial calculations, analyses and evaluations are completed. As a result, the more restrictive GDPR definition of “consent” no longer provides legal rights to use data for these purposes.
  • Contract: Article 6(1)(b) authorizes the use of data with respect which “processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.” This right to data use has been narrowly construed to encompass only that data necessary to perform a contract and does not extend to other uses of data that are ancillary to, or complementary with, the specific requirements to fulfill a contract.
  • Controller Legal Obligation: Article 6(1)(c) authorizes the use of data with respect which “processing is necessary for compliance with a legal obligation to which the controller is subject.” This legal basis does not authorize the type of data processing in question.
  • Data Subject Vital Interest: Article 6(1)(d) authorizes the use of data with respect which “processing is necessary in order to protect the vital interests of the data subject or of another natural person.” This legal basis does not authorize the type of data processing in question.
  • Public Interest: Article 6(1)(e) authorizes the use of data with respect which “processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.” Given the limitations of legal bases (a) and (b), and inapplicability of legal bases (c) and (d), as available legal bases to support big data analytics, artificial intelligence and machine learning, this legal basis (e) becomes critical to the ability to legally process data.
  • Legitimate Interest: Article 6(1)(f) authorizes the use of data with respect which “processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.” Given the limitations of legal bases (a) and (b), and inapplicability of legal bases (c) and (d), as available legal bases to support big data analytics, artificial intelligence and machine learning, this legal basis (f) becomes critical to the ability to legally process data.

The restrictions explicit in the above enumerated legal bases required to support lawful big data analytics, artificial intelligence (AI) and machine learning, highlight the critical importance of satisfying requirements for Public Interest and Legitimate Interest. Anonos BigPrivacy first-of-its-kind patented technology uniquely enables data controllers and processors to satisfy requirements for Public Interest and Legitimate Interest as legal bases for lawful processing of big data analytics, artificial intelligence, and machine learning using EU personal data.

Are you facing any of these 4 problems with data?

You need a solution that removes the impediments to achieving speed to insight, lawfully & ethically

Roadblocks
to Insight
Are you unable to get desired business outcomes from your data within critical time frames? 53% of CDOs cannot achieve their desired uses of data. Are you one of them?
Lack of
Access
Do you have trouble getting access to the third-party data that you need to maximise the value of your data assets? Are third-parties and partners you work with worried about liability, or disruption of their operations?
Inability to
Process
Are you unable to process data due to limitations imposed by internal or external parties? Do they have concerns about your ability to control data use, sharing or combining?
Unlawful
Activity
Are you unable to defend the lawfulness of your current data processing activities, or data processing you have done in the past?
THE PROBLEM
Traditional privacy technologies focus on protecting data by putting it in “cages,” “containers,” or limiting use to centralised processing only. This limitation is done without considering the context of what the desired data use will be, including decentralised data sharing and combining. These approaches are based on decades-old, limited-use perspectives on data protection that severely minimise the kinds of data uses that remain available after controls have been applied. On the other hand, many other new data-use technologies focus on delivering desired business outcomes without considering that roadblocks may exist, such as those noted in the four problems above.
THE SOLUTION
Anonos technology allows data to be accessed and processed in line with desired business outcomes (including sharing and combining data) with full awareness of, and the ability to remove, potential roadblocks.