One of the principles of data collection is that data are collected for a clearly defined purpose. Moreover, collected data might be used only for this purpose. It is a finality principle. However, the principle seems to contradict the basic principle of big data analysis – trying to find undiscovered patterns in data, which were often collected for different purposes.
Is there a clash between these two principles? Is big data analysis illegal? This article discusses several possibilities how to interpret one of the basic legal issues of big data analysis.
Majority of jurisdictions says no …
In general, the finality principle prevents the use of data for secondary purpose. This is true for the majority of jurisdictions. If a data processor intends to process data for a secondary purpose, the user should give a specific consent for this activity.
… but some of them allow exceptions
Many jurisdictions allow an analysis of data for a secondary purpose, if it is compatible with the original purpose. Moreover, in some jurisdictions, the secondary analysis is possible, if a data subject could have had reasonable expectations that data might be used for such a purpose. However, neither compatibility nor reasonable expectations have a clear definition. Therefore, it would depend on the analysis of a specific situation.
Especially in the European context, data might be used for statistical, scientific and historical purposes. The exception is based on the Article 6(1)(b) of the Directive 95/46/EC. However, it is not 100 percent clear, what does “statistical purposes” mean. If data are used for big data analysis with an intention to predict customers’ behavior and profit, it would probably not fall into the category.
Many jurisdictions permits the secondary purpose of a data analysis in case that a statutory provision enables such analysis.
What are the practices of subjects using big data analysis?
If we look at the privacy policies of major data collectors, they usually include a principle, that they may use information from the user for the purposes of improving present services, testing new ones and for data analysis.
Usually, they also include a provision that for collecting data for other purposes than those specified in the Policy, they would ask for the consent of a user. However, the above-mentioned definition is broad and would cover all necessary purposes of big data analysis.
In conclusion – is there a clash between the principles? According to the analysis, it seems that the answer is more “yes” than “no”. In general, processing data for a secondary purpose is not allowed by legislation. In some jurisdictions, it might be possible to analyze data pursuant to exceptions.
However, the safest way how to enable big data analysis of collected data, is to include the purpose of improving, testing and analyzing the service into the primary purpose of processing. In this way, the data subject would give consent at the beginning and it should not be necessary to deal with these issues afterwards.
Do you have any experience with obtaining consent for big data analysis? Feel free to comment under the article or here.
Note: This article is intended as a summary of issues. Its purpose is not to provide legal advice or create an attorney-client relationship between you and the author of this article.