Big data, big issues in Australia

December 2013  |  SPOTLIGHT  |  RISK MANAGEMENT

Financier Worldwide Magazine

December 2013 Issue

Big Data is the tracking and aggregation of a large volume of data from various sources such as search engine histories, emails, sales transaction histories, reward/loyalty programs and app downloads. It is of potentially significant value to business and is widely regarded as the new economic asset of our age. 

The extensive amounts of personal information we reveal as we transact online (and by carrying around our smart phone) has taken the relationship between customer profiling, predicting trends and marketing to a new level. Big Data is capable of tracking movements, behaviours, preferences and predicting the behaviour of individuals with unprecedented accuracy. The more access business has to Big Data the better they can target advertising and products that match (or rather predict) our specific interests.

The concepts of ‘personal information’ and ‘de-identified information’ and the applicability of the Australian Privacy Act to Big Data appear, at first glance, simple enough: Big Data collects and uses de‑identified data which is not covered by the Privacy Act. On further consideration, however, this is not as straightforward as it appears: can the information contained in Big Data sets ever truly (i.e., permanently) be de‑identified? 

Recently the Australian Privacy Commissioner gave a speech referring to a report that US chain store Walmart had purchased social media start‑up Social Calendar. This acquisition enabled Walmart to create customer profiles by cross referencing their data with that of Social Calendar, perhaps triggering targeted marketing around the time of loved ones’ birthdays, etc. The Commissioner noted that this raised privacy concerns for Social Calendar users, who would have had no idea that their data would be used by Walmart for marketing purposes. 

Another example of problematic use of Big Data occurred recently in the US when Target’s analysis of Big Data revealed its customers that were pregnant (with amazing accuracy). Target proceeded to send advertising material for maternity products to all of these customers. However, what Target had neglected to ascertain was that one of the pregnant customers was in fact an underage teenage girl and that its marketing material was seen by her father, who was not yet aware his daughter was pregnant. 

Examples such as these make it increasingly clear that there is a gap between what can be done with Big Data, especially in the retail/consumer and financial services spaces, and what is currently regulated under Australian privacy law or what consumers are ready for. In fact, the Commissioner identified that there exists a gap between practice and regulation of Big Data and that, in the Big Data context, the Privacy Act’s consent model is under pressure. The Commissioner suggested that transparency was key to overcoming such issues. 

The Privacy Act generally regulates the collection, use and disclosure of personal information by imposing notification and consent obligations on entities collecting such information. Australian businesses usually provide such notice and obtain any such consents by way of a privacy policy notified to or accepted by individuals when they first provide their personal information. Of course, if only de‑identified or anonymous information is collected, no privacy policy needs to be notified or consented to. 

As Australian businesses have access to new and more advanced ways to aggregate information (in larger and larger data sets) and analyse such in a way that results in the re‑identification of individuals, this re‑identified (or likely re‑identifiable) information, its collection and use is then subject to the general obligations imposed by thePrivacy Act (even if originally collected in a de‑identified form). 

If Big Data used by a business includes personal information or likely re‑identifiable information, the Privacy Act requires that individuals are provided with notice regarding matters such as who has collected their personal information, how their information will be used and to whom it will be disclosed. This notice must be provided at or before the time of collection. Where data contains sensitive information (such as health records, race or sexual preference), or where personal information is used for a purpose other than the original notified purpose for which it was collected, the prior consent of the individuals must be obtained.

In practice, it is expensive and impractical for a business to re-notify or ask for all individuals to re‑consent to new uses of their re‑identified information. To circumvent this problem, businesses may seek to draft very complex or vague privacy policies to cover all possible uses of personal information. Customers may find such policies confusing, leading them to abandon purchasing the goods altogether. Alternatively customers may consent, without understanding the policy, and later be taken by surprise when their personal information is used as part of Big Data analysis. This possibility is supported by the findings of a recent Australian Research Council survey which identified that more than 60 percent of respondents rarely or never read website privacy policies. However, even if a privacy policy lists the purposes for collection, businesses are often unable to predict all future uses of the personal information at the time of original collection, especially for later Big Data usage, and so re‑notification remains an issue.

The Privacy Act does not adequately address the concerns of individuals or clarify the steps that business should take to comply with Australian privacy law in respect of Big Data. Some Australian commentators have suggested that Big Data analysis should be strictly limited, even where an individual has consented. Others suggest that ‘informed consent’ obligations are needed to ensure that individuals are aware of all of the consequences of consenting. Alternatively, the onus of protecting personal information could be shifted from the individual to the business.  

It is likely that the Commissioner/the Office of the Australian Information Commissioner will issue guidance on Big Data in the near future. In the meantime, however, businesses can adopt the following steps to minimise the risks of infringing the Privacy Act, receiving numerous customer complaints or being subject to investigation by the Commissioner. First, audit databases to determine the purposes for which personal information was collected and whether it will or has been used for any purposes (including marketing) other than for which the information was originally collected. 

Second, determine whether any de‑identified Big Data would be ‘re‑identifiable’ when combined with other data or when analytics are run. If so, review original notices provided and consents obtained when the data was initially collected. 

Third, provide clear notification each time changes are made to practices around collection, use or disclosure of personal information. 

Fourth, ensure the privacy policy is clear and concise. Mobile websites and apps should contain an abridged privacy notice containing a clickable link to the full privacy policy. 

Fifth, consider giving customers a choice between consenting to use of personal information that is not essential for the purchase of goods or services separately from the essential uses of the information. 

Sixth, consider periodically asking customers to re‑consent and to incentivise the consent for non‑essential uses. 

Finally, ensure internal practices with respect to the handling of personal information comply with recent guidance documents issued by the Commissioner/OAIC (including the recently issued ‘Guide to Information Security’). 

 

Reyhaneh Saadati is a solicitor and Alec Christie is a partner at DLA Piper Australia. Ms Saadati can be contacted on +61 2 9286 8509 or by email: reyhaneh.saadati@dlapiper.com. Mr Christie can be contacted on +61 2 9286 8237 or by email: alec.christie@dlapiper.com.

© Financier Worldwide

BY

Reyhaneh Saadati and Alec Christie

DLA Piper Australia

©2001-2024 Financier Worldwide Ltd. All rights reserved. Any statements expressed on this website are understood to be general opinions and should not be relied upon as legal, financial or any other form of professional advice. Opinions expressed do not necessarily represent the views of the authors’ current or previous employers, or clients. The publisher, authors and authors' firms are not responsible for any loss third parties may suffer in connection with information or materials presented on this website, or use of any such information or materials by any third parties.