Page 21 - FIGI - Big data, machine learning, consumer protection and privacy
P. 21
This approach does not prevent focused privacy and private organisations, and broader social inter-
law and regulation where it is most important, which ests such as scientific research, innovation, national
in most countries has included the health, financial security and crime enforcement. Not only is there in
and communications sectors, and protection of chil- many jurisdictions a basic right to conduct a busi-
dren. Some countries have no generally applicable ness, there may be intellectual property and trade
72
privacy law, but have developed substantial privacy secrets rights involved as well.
law and regulation separately in such individual sec- Protecting privacy, like any regulation, involves
tors at different times and without strong coordina- costs, such as the financial costs of compliance
tion among the sectoral legal provisions. While this and the opportunity costs of new services relying
may allow privacy concerns to be tailored to a given on access to personal data. Some argue that such
sector’s specificities, it also risks creating complexi- costs are a justifiable economic investment because
ty, inconsistencies among sectors and challenges to strengthened trust will increase demand for services.
harmonization across borders. Some view such investments, as Tim Cook, CEO of
Some countries have preferred to establish Apple recently put it, as a choice of what kind of
non-binding standards for privacy protection, such society we want to live in. 73
as China’s National Standards on Information Securi- In any scenario, it is reasonable and appropriate
ty Technology – Personal Information Security Speci- for legislators and regulators to consider not only
fication GB/T 35273-2017 entered into effect in 2018. the ideal of privacy but the impediments to inno-
This establishes numerous standards for protecting vation and productive purposes, and the diversion
personal information, loosely based on Europe’s of resources, that compliance-focused protections
GDPR. It sets out practices that regulators will expect may entail. It is prudent to identify and quantify as
to see introduced when they audit firms and enforce best possible the benefits and the costs, and prior-
China’s existing data protection laws, in particular itise risks that are most harmful. As the World Bank
the 2016 Cybersecurity Law. Further national stan- and Consultative Group to Assist the Poor (CGAP)
74
dards including on big data and data anonymisation, put it, “[p]olicy makers face the challenge of striking
are expected to be introduced. the right balance between promoting the benefits of
Even jurisdictions that assert privacy as a funda- the expanded use of alternative data while ensuring
mental right recognise the necessity of weighing adequate data protection and attention to consumer
the individual’s interest against the interest of public privacy across the eco-system.”
75
3 THE PRE-ENGAGEMENT PHASE: CONSUMER PROTECTION AND PRIVACY CHALLENGES OF
NOTICE AND CONSENT
This section considers the requirement in many consumer. This is rarely required, however, and even
77
consumer protection and privacy laws to notify the when it is, it may be restricted to categories of infor-
consumer of the fact that, and purpose for which, mation and not inferences about the individual.
their personal data will be collected, used and shared Two longstanding themes of data protection and
with third parties, and to obtain their consent – privacy law are “purpose specification” and relatedly
before they engage in submitting data and request- “data minimisation”: the requirement to specify the
ing the service. purpose for which data is collected, used and shared,
and to limit collection, use and sharing to data which
3�1 Notifying consumers and obtaining their con- is relevant, adequate and necessary for (or propor-
sent to use personal data tionate to) that purpose. As any collection and
78
An increasing number of countries’ data protection use of data may increase risk to security and priva-
laws and standards provide for stringent regulation cy, the objective is to minimise or avoid additional
of collection, use and sharing of data. These require risk beyond what is necessary for the purpose. This
firms to inform consumers when they are collecting aims to prevent “function creep” whereby data that
personal data about them, and of the purpose for is originally collected for one purpose is then used
which the data will be processed, as well as wheth- for other purposes. The OECD Use Limitation Prin-
79
er they may transfer the data to third parties. Third ciple, for instance, refers to the need to obtain con-
76
parties may also be required to notify a consumer sent from the individual if the data is to be used for
where they acquire personal information about the
Big data, machine learning, consumer protection and privacy 19
