LONDON – Watching the legal system deal with the Internet is like watching somebody trying to drive a car by looking only in the rear-view mirror. The results are amusing and predictable but not really interesting. On the other hand, watching the efforts of regulators — whether British ones such as Ofcom, or multinational, like the European Commission — is more instructive.
At the moment, the commission is wrestling with the problem of how to protect the data of European citizens in a world dominated by Google, Facebook and Co. The windscreen of the metaphorical car that the commission is trying to drive has been cracked so extensively that it’s difficult to see anything clearly through it.
So in her desperation, the driver (Viviane Reding, the commission’s vice-president) oscillates between consulting the rear-view mirror and asking passers-by (who may or may not be impartial) for tips about what lies ahead. And just to make matters worse, she also has to deal with outbreaks of fighting between the other occupants of the car, who just happen to be sovereign states and are a quarrelsome bunch at the best of times.
The idea behind the proposed new general data protection regulation (GDPR) is to extend controls to foreign companies that process the personal data of European Union citizens. The draft regulation proposes a strict compliance regime with fearsome penalties (up to 2 percent of worldwide turnover) for infringement. Personal data is defined as “any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a photo, an email address, bank details, posts on social-networking websites, medical information or a computer’s IP address.”
The companies potentially affected by this regulation are mightily annoyed, for obvious reasons: Google’s turnover last year was $50 billion, for example, so a 2 percent fine would be a billion dollars, a sum that would make even that company’s bosses choke on their muesli. So we can expect the wrangling in Brussels to continue, with lots of pious declarations about the economic blessings that giant U.S. Internet corporations bestow on European citizens.
But while all this is going on, the ground is shifting beneath the disputants. They are arguing about organizations’ responsibilities in holding and processing personal data, and about the rights of an individual (the “data subject”) to know how their data is being used. But technology is already making some of these considerations moot. The advent of “big data” means that those who try to focus data-protection measures on individual records held by individual organizations may be whistling into the wind.
The reason is that routine big-data analytical techniques can now effectively manufacture personal data that is not protected by any of the measures we’ve used up to now. A well-known illustration of this is the way Target, an American retail chain, creatively collated scattered pieces of data about individuals’ changes in shopping habits to predict the delivery date of pregnant shoppers — so that they could then be targeted with relevant advertisements.
It’s called “predictive analytics” in the trade and a New York Times report of the Target case explains how it’s done. One of the company’s data analysts noticed that some women customers were loading up on supplements such as calcium, magnesium and zinc. “Many shoppers purchase soap and cotton balls, but when someone suddenly starts buying lots of scent-free soap and extra-big bags of cotton balls, in addition to hand sanitizers and washcloths, it signals they could be getting close to their delivery date.”
As a very perceptive academic study of predictive analytics points out, there are some serious downsides to this application of big-data techniques. One is the way they neatly circumvent current approaches to data protection. The individual components in the data jigsaw may all be satisfactorily protected under whatever regulatory regime is finally agreed in Brussels. But data analytics may nevertheless produce from them a piece of personal information that is intensely private — for example sexual orientation as inferred from clues in social-networking posts.
The second danger is that personal data inferred by analytics may be damaging to an individual. And damage may result whether the inference is correct or faulty: a correct inference that someone is concerned about a potential health issue might have an impact on their employment or health-insurance prospects; while an incorrect inference (that a woman was pregnant, say) might lead to discrimination (not being granted a job interview).
The point is that in neither case would the individual know what was happening.