Big data, big issues in Australia
December 2013 | SPOTLIGHT | RISK MANAGEMENT
Financier Worldwide Magazine
Big Data is the tracking and aggregation of a large volume of data from various sources such as search engine histories, emails, sales transaction histories, reward/loyalty programs and app downloads. It is of potentially significant value to business and is widely regarded as the new economic asset of our age.
The extensive amounts of personal information we reveal as we transact online (and by carrying around our smart phone) has taken the relationship between customer profiling, predicting trends and marketing to a new level. Big Data is capable of tracking movements, behaviours, preferences and predicting the behaviour of individuals with unprecedented accuracy. The more access business has to Big Data the better they can target advertising and products that match (or rather predict) our specific interests.
The concepts of ‘personal information’ and ‘de-identified information’ and the applicability of the Australian Privacy Act to Big Data appear, at first glance, simple enough: Big Data collects and uses de‑identified data which is not covered by the Privacy Act. On further consideration, however, this is not as straightforward as it appears: can the information contained in Big Data sets ever truly (i.e., permanently) be de‑identified?
Recently the Australian Privacy Commissioner gave a speech referring to a report that US chain store Walmart had purchased social media start‑up Social Calendar. This acquisition enabled Walmart to create customer profiles by cross referencing their data with that of Social Calendar, perhaps triggering targeted marketing around the time of loved ones’ birthdays, etc. The Commissioner noted that this raised privacy concerns for Social Calendar users, who would have had no idea that their data would be used by Walmart for marketing purposes.
Another example of problematic use of Big Data occurred recently in the US when Target’s analysis of Big Data revealed its customers that were pregnant (with amazing accuracy). Target proceeded to send advertising material for maternity products to all of these customers. However, what Target had neglected to ascertain was that one of the pregnant customers was in fact an underage teenage girl and that its marketing material was seen by her father, who was not yet aware his daughter was pregnant.
Examples such as these make it increasingly clear that there is a gap between what can be done with Big Data, especially in the retail/consumer and financial services spaces, and what is currently regulated under Australian privacy law or what consumers are ready for. In fact, the Commissioner identified that there exists a gap between practice and regulation of Big Data and that, in the Big Data context, the Privacy Act’s consent model is under pressure. The Commissioner suggested that transparency was key to overcoming such issues.
As Australian businesses have access to new and more advanced ways to aggregate information (in larger and larger data sets) and analyse such in a way that results in the re‑identification of individuals, this re‑identified (or likely re‑identifiable) information, its collection and use is then subject to the general obligations imposed by thePrivacy Act (even if originally collected in a de‑identified form).
If Big Data used by a business includes personal information or likely re‑identifiable information, the Privacy Act requires that individuals are provided with notice regarding matters such as who has collected their personal information, how their information will be used and to whom it will be disclosed. This notice must be provided at or before the time of collection. Where data contains sensitive information (such as health records, race or sexual preference), or where personal information is used for a purpose other than the original notified purpose for which it was collected, the prior consent of the individuals must be obtained.
The Privacy Act does not adequately address the concerns of individuals or clarify the steps that business should take to comply with Australian privacy law in respect of Big Data. Some Australian commentators have suggested that Big Data analysis should be strictly limited, even where an individual has consented. Others suggest that ‘informed consent’ obligations are needed to ensure that individuals are aware of all of the consequences of consenting. Alternatively, the onus of protecting personal information could be shifted from the individual to the business.
It is likely that the Commissioner/the Office of the Australian Information Commissioner will issue guidance on Big Data in the near future. In the meantime, however, businesses can adopt the following steps to minimise the risks of infringing the Privacy Act, receiving numerous customer complaints or being subject to investigation by the Commissioner. First, audit databases to determine the purposes for which personal information was collected and whether it will or has been used for any purposes (including marketing) other than for which the information was originally collected.
Second, determine whether any de‑identified Big Data would be ‘re‑identifiable’ when combined with other data or when analytics are run. If so, review original notices provided and consents obtained when the data was initially collected.
Third, provide clear notification each time changes are made to practices around collection, use or disclosure of personal information.
Fifth, consider giving customers a choice between consenting to use of personal information that is not essential for the purchase of goods or services separately from the essential uses of the information.
Sixth, consider periodically asking customers to re‑consent and to incentivise the consent for non‑essential uses.
Finally, ensure internal practices with respect to the handling of personal information comply with recent guidance documents issued by the Commissioner/OAIC (including the recently issued ‘Guide to Information Security’).
Reyhaneh Saadati is a solicitor and Alec Christie is a partner at DLA Piper Australia. Ms Saadati can be contacted on +61 2 9286 8509 or by email: email@example.com. Mr Christie can be contacted on +61 2 9286 8237 or by email: firstname.lastname@example.org.
© Financier Worldwide
Reyhaneh Saadati and Alec Christie
DLA Piper Australia