Page 20 - FIGI - Big data, machine learning, consumer protection and privacy
P. 20

data and privacy of their subjects, with an important   was previously granted adequacy in 2012 under the
            theme being the minimisation of data collection, use   EU’s prior data protection directive regime.
            and sharing.                                         Some countries treat data protection and privacy
               The scope of the personal data that may be gen-  as a matter of constitutional law. Mexico’s Constitu-
            erated and shared may, as a result of big data and   tion, for example, prohibits intrusion onto an individ-
            machine learning, include inferences made about    ual’s person, family, domicile, documents or belong-
            them  and  predictions  of  their  behaviour.  However,   ings (including any wiretapping of communication
            inferences about a person made from their personal   devices), except when ordered by a competent
            data are typically not treated as personal data to be   authority supported by the applicable law.  The right
                                                                                                   63
            protected.  Laws often restrict privacy protections   to data protection is provided for, setting a standard
                     55
            to rectifying, blocking or erasing the personal data   for all collecting, using, storing, divulging or trans-
            that is input into algorithms, but not to the evaluation   ferring (collectively processing) of personal data to
            of that data or decisions based on such evaluation.   secure the right to privacy and self-determination. 64
            As recently suggested in relation to the GDPR, “Ironi-  India’s Supreme Court in 2017 declared privacy a
            cally, inferences receive the least protection of all the   “fundamental right,” protected by the Constitution,
                                                                                                            65
            types of data addressed in data protection law, and   echoing  the  United  States ,  the  European  Union
                                                                                                            67
                                                                                       66
            yet now pose perhaps the greatest risks in terms of   and numerous other jurisdictions. In some cases,
            privacy and discrimination.” 56                    these matters have a specific written foundation in
                                                               the Constitution itself. Brazil’s Constitution, for exam-
            Protecting privacy                                 ple, has a right of “habeas data” that gives individ-
            Potential data protection remedies include the     uals the right to access and correct personal data
            consumer’s right to know what personal data is     about themselves held by public agencies.  Some
                                                                                                      68
            collected,  the right to rectify inaccurate personal   countries, such as Kenya, have a constitutional right
                     57
            data and to complete incomplete personal data,     of privacy but have not (as yet) introduced stand-
                                                         58
            the right to have personal data deleted,  the right   alone legislation.
                                                 59
            to port data to a third party,  and the right to object   The proliferation of data and the potential for big
                                     60
            to processing of personal data (including for profil-  data technologies to violate privacy recently led the
            ing).  While the European Union has adopted all of   Indian Supreme Court to limit the use of Aadhaar,
                61
            these remedies in the GDPR, many countries focus   India’s national digital ID system.  The Court ruled
                                                                                            69
            more on rights of access and rectification and breach   that requiring use of Aadhaar for services other
            notification obligations.                          than public services like social payments, including
               Data protection and privacy are not the domain   mandatory use of Aadhaar for know-your-custom-
            solely  of  high income,  northern  hemisphere  coun-  er (KYC) in banking and telecommunications, would
            tries. Today, 107 countries, of which 66 are develop-  be unlawful.  The Court found that specific legal
                                                                          70
            ing or transition economies, have adopted laws on   requirements to link the Aadhaar system with all
            data protection and privacy, and more are on the   new and existing bank accounts and mobile phone
            way.  Many countries outside Europe have commit-   numbers violated the fundamental right to privacy.
                62
            ted to stringent levels of data protection by signing   It would enable “commercial exploitation of an indi-
            Convention 108 (for instance, Mexico signed in 2018).  vidual[’s] biometric and demographic information by
               EU’s GDPR not only provides reinforced rights and   private entities.”
            obligations, but has significant extraterritorial impact.   Treating privacy as a fundamental right is only one
            The GDPR requires that personal data be protected   approach to ensuring the protection of users. Some
            when it is exported to and processed in countries   countries regard privacy less as a matter of funda-
            outside Europe. It applies to the processing of any   mental  rights  and  more  as  a  matter  of  consumer
            individual’s data who is “in the Union” even if the data   protection. While this may result in a weaker com-
            processing occurs outside the EU. Thus, countries   mitment to general privacy protection, it may result
            dealing with Europe in digital services and non-Eu-  in greater focus on the trade-offs and cost-benefit
            ropean companies who are likely to process data of   issues involved in regulating to protect privacy. Con-
            Europeans must adopt GDPR-like protections. For    sumer protection agencies will more often have to
            instance, Japan completed discussions to establish   carry out a balancing act when considering whether
            data protection and privacy regimes sufficiently sim-  a given conduct is unfair to consumers and should be
            ilar to the EU to merit “adequacy” treatment in 2018,   viewed as unlawful.
                                                                                71
            and  talks  are ongoing with South  Korea. Uruguay



            18   Big data, machine learning, consumer protection and privacy
   15   16   17   18   19   20   21   22   23   24   25