68    Article 5 (LXXII), Constitution of the Federated Republic of Brazil, 3  edition, 2010, http:// english .tse .jus .br/ arquivos/
                                                                     rd
                federal -constitution.
            69   See https:// uidai .gov .in/  for more information about Aadhaar.
            70   K.S. Puttaswamy & Anr. v. Union of India & Ors. (2018), Paras 159-160, https:// www .sci .gov .in/ supremecourt/ 2012/ 35071/
                35071 _2012 _Judgement _26 -Sep -2018 .pdf.
            71   The US Federal Trade Commission, the general privacy regulator, is subject to a statutory balancing act as follows: “The
                Commission shall have no authority under this section … to declare unlawful an act or practice on the grounds that such
                act or practice is unfair unless the act or practice causes or is likely to cause substantial injury to consumers which is
                not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to
                competition.” 15 U.S. Code 45(n).
            72   E.g., Article 16 of the EU Charter of Fundamental Rights.
            73   Speech given to the International Conference of Data Protection and Privacy Commissioners (ICDPPC) in Brussels on
                24 October 2018. Complete transcript available at https:// www .computerworld .com/ article/ 3315623/ security/ complete
                -transcript -video -of -apple -ceo -tim -cooks -eu -privacy -speech .html.
            74   CGAP is an arm of the World Bank focussed on alleviating poverty through financial inclusion. See https:// www .cgap
                .org/ about/ governance.
            75   World Bank & CGAP, Data Protection and Privacy for Alternative Data, GPFI- FCPL SUB-GROUP DISCUSSION PAPER
                -DRAFT- MAY,4 2018 p5.
            76   GDPR, Article 13. China’s Personal Information Security Specification 2018 requires data subjects to be informed
                about the scope, purpose and rules of the processing of their personal information in an explicit, comprehensible and
                reasonable manner.
            77   GDPR, Article 14.
            78   For example, China’s Personal Information Security Specification of 2018 provides that, unless the data subject
                otherwise agrees, a personal data controller should limit the processing of personal information to what is necessary to
                accomplish a specified purpose and delete such information as soon as the purpose is fulfilled.
            79   See generally, for example, Els J. Kindt, Privacy and Data Protection: Issues of Biometric Application, A Comparative
                Analysis, Heidelberg, Dordrecht, New York, London: Springer, 2013.
            80   OECD, Guidelines on Protection of Privacy and Cross-Border Flows of Personal Data, as amended in 2013, Principle 10,
                http:// oecdprivacy .org/ .
            81   GDPR, preamble paragraph 50 and Article 5(1)(b).
            82   For example, the 2016 EU General Data Protection Regulation states in its Preamble at para 40: “In order for processing
                to be lawful, personal data should be processed on the basis of the consent of the data subject concerned or some
                other legitimate basis, laid down by law, either in this Regulation or in other Union or Member State law. . .” (emphasis
                added). Consent means “any freely given, specific, informed and unambiguous indication of the data subject's wishes
                by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal
                data relating to him or her.” GDPR, Article 4(11).

            83   E.g., California Consumer Privacy Act 2018.
            84   E.g., the 2004 APEC Privacy Framework requires data controllers to provide “clear and easily accessible statements
                about their practices and policies with respect to personal information.”
            85   GDPR, Articles 13, 14 and 15.
            86   Likewise, Kenya’s Data Protection Bill being considered for enactment provides in Section 31, “Every data subject has
                a right not to be subject to a decision based solely on automated processing, including profiling, which produces
                legal effects concerning or significantly affects the data subject.” It also has exceptions to this, including whether the
                automated processing is necessary for a contract, authorized by law with safeguards and based on explicit consent.
            87   GDPR, Article 22(2).
            88   President’s Council of Advisors on Science & Technology, Big Data and Privacy: A Technological Perspective, The White
                House, May 1, 2014.

            89   See, e.g., Whitley, E. A., and Pujadas, R. (2018). Report on a study of how consumers currently consent to share their
                financial data with a third party, Financial Services Consumer Panel at ii. “The evidence from the empirical research
                suggests that consent is frequently neither freely given, nor unambiguous nor fully informed. Over half of the
                contributors claimed not to read any terms and conditions for products and services that they sign up for, including the





           50    Big data, machine learning, consumer protection and privacy