Page 20 - FIGI - Big data, machine learning, consumer protection and privacy
P. 20
data and privacy of their subjects, with an important was previously granted adequacy in 2012 under the
theme being the minimisation of data collection, use EU’s prior data protection directive regime.
and sharing. Some countries treat data protection and privacy
The scope of the personal data that may be gen- as a matter of constitutional law. Mexico’s Constitu-
erated and shared may, as a result of big data and tion, for example, prohibits intrusion onto an individ-
machine learning, include inferences made about ual’s person, family, domicile, documents or belong-
them and predictions of their behaviour. However, ings (including any wiretapping of communication
inferences about a person made from their personal devices), except when ordered by a competent
data are typically not treated as personal data to be authority supported by the applicable law. The right
63
protected. Laws often restrict privacy protections to data protection is provided for, setting a standard
55
to rectifying, blocking or erasing the personal data for all collecting, using, storing, divulging or trans-
that is input into algorithms, but not to the evaluation ferring (collectively processing) of personal data to
of that data or decisions based on such evaluation. secure the right to privacy and self-determination. 64
As recently suggested in relation to the GDPR, “Ironi- India’s Supreme Court in 2017 declared privacy a
cally, inferences receive the least protection of all the “fundamental right,” protected by the Constitution,
65
types of data addressed in data protection law, and echoing the United States , the European Union
67
66
yet now pose perhaps the greatest risks in terms of and numerous other jurisdictions. In some cases,
privacy and discrimination.” 56 these matters have a specific written foundation in
the Constitution itself. Brazil’s Constitution, for exam-
Protecting privacy ple, has a right of “habeas data” that gives individ-
Potential data protection remedies include the uals the right to access and correct personal data
consumer’s right to know what personal data is about themselves held by public agencies. Some
68
collected, the right to rectify inaccurate personal countries, such as Kenya, have a constitutional right
57
data and to complete incomplete personal data, of privacy but have not (as yet) introduced stand-
58
the right to have personal data deleted, the right alone legislation.
59
to port data to a third party, and the right to object The proliferation of data and the potential for big
60
to processing of personal data (including for profil- data technologies to violate privacy recently led the
ing). While the European Union has adopted all of Indian Supreme Court to limit the use of Aadhaar,
61
these remedies in the GDPR, many countries focus India’s national digital ID system. The Court ruled
69
more on rights of access and rectification and breach that requiring use of Aadhaar for services other
notification obligations. than public services like social payments, including
Data protection and privacy are not the domain mandatory use of Aadhaar for know-your-custom-
solely of high income, northern hemisphere coun- er (KYC) in banking and telecommunications, would
tries. Today, 107 countries, of which 66 are develop- be unlawful. The Court found that specific legal
70
ing or transition economies, have adopted laws on requirements to link the Aadhaar system with all
data protection and privacy, and more are on the new and existing bank accounts and mobile phone
way. Many countries outside Europe have commit- numbers violated the fundamental right to privacy.
62
ted to stringent levels of data protection by signing It would enable “commercial exploitation of an indi-
Convention 108 (for instance, Mexico signed in 2018). vidual[’s] biometric and demographic information by
EU’s GDPR not only provides reinforced rights and private entities.”
obligations, but has significant extraterritorial impact. Treating privacy as a fundamental right is only one
The GDPR requires that personal data be protected approach to ensuring the protection of users. Some
when it is exported to and processed in countries countries regard privacy less as a matter of funda-
outside Europe. It applies to the processing of any mental rights and more as a matter of consumer
individual’s data who is “in the Union” even if the data protection. While this may result in a weaker com-
processing occurs outside the EU. Thus, countries mitment to general privacy protection, it may result
dealing with Europe in digital services and non-Eu- in greater focus on the trade-offs and cost-benefit
ropean companies who are likely to process data of issues involved in regulating to protect privacy. Con-
Europeans must adopt GDPR-like protections. For sumer protection agencies will more often have to
instance, Japan completed discussions to establish carry out a balancing act when considering whether
data protection and privacy regimes sufficiently sim- a given conduct is unfair to consumers and should be
ilar to the EU to merit “adequacy” treatment in 2018, viewed as unlawful.
71
and talks are ongoing with South Korea. Uruguay
18 Big data, machine learning, consumer protection and privacy