Out-Law News 2 min. read
30 Apr 2015, 10:44 am
Allan Chiang said it businesses cannot always claim that anonymisation addresses privacy concerns as a result of big data technologies.
"Users of big data may claim that they are working with de-identified information, that is, data stripped of the name and other personal identifiers," Chiang said in a new blog. "They contend that with anonymisation, privacy is no longer an issue. However, such assertion may be a fallacy."
"Our online tracks are tied to smartphones or personal computers through UDIDs, IP addresses, 'fingerprinting' and other means. Given how closely these personal communication devices are associated with each of us, information linked to these devices is, to all intents and purposes, linked to us as individuals. Furthermore, big data can increase the risk of re-identification, and in some cases, inadvertently re-identify large swaths of de-identified data all at once. The consequences could be fatal in the event of a data breach," he said.
Chiang acknowledged that big data can bring "enormous economic and societal benefits", including for improving customer relationships, delivering more personalised advertising, combatting crime and improving health care. However, he said that there are "potential ramifications for privacy and data protection".
He said businesses looking to harness the potential of big data must make consumer privacy and data protection "a priority". The Office of the Privacy Commissioner for Personal Data in Hong Kong is hosting a conference that will look at how the benefits and risks of big data can be balanced in June.
Hong Kong-based technology law expert Peter Bullock of Pinsent Masons, the law firm behind Out-Law.com, said that it is appropriate for the privacy commissioner to address the subject of big data and privacy because of the increasing interest from businesses in aggregating data and gleaning insights from it.
"The problem for data users is that the legal effect of getting the wrong side of the line on whether data is personal data or truly anonymised, ie non-personal, data is binary," Bullock said. "There are no half measures. Many businesses are either ignorant of the problem or assuming that data falls outside the legislation if it is encrypted, anonymised using data which itself contains data which can be traced back to the individual or tokenised, where the tokens may be traced back to individuals, even if this is not the case for every individual."
"In each such case, the data remains personal data. Without obtaining consent in an appropriate fashion from the data subjects affected, the data user will in all cases be in breach of the Personal Data Privacy Ordinance," he said.
In the blog, Chiang warned that correlations identified in big data do not "necessarily imply a cause-and-effect relationship" and that using big data can be "creepy" and privacy intrusive. The privacy commissioner also said that the use of big data to build profiles about people carries risks.
"For example, some insurance companies tried to use credit reports and lifestyle data as proxies for the analysis of blood and urine samples for determinations on eligibility and offers," Chiang said. "This has the advantage of offering a more convenient and affordable service as the customer could complete the transaction online by answering a number of apparently neutral questions and he/she is relieved of the painful and costly lab tests. However, such predictive modelling always entails some margins of error."
"On the one hand, customers at high insurance risks may be accepted erroneously. On the other hand, perfectly healthy applicants may either be rejected or be accepted but have to pay higher insurance premium unknowingly, nor would they be able to access and correct any misleading information about them," he said.