Big data is a privacy minefield

Our every move can now be monitored, recorded and monetised.

That could mean big opportunities but also potentially big privacy issues for those companies collecting or using this information and for the customers from whom it is collected.

Browsing at the supermarket? Buying that pregnancy kit may mean nappy coupons in the mail. Posting pictures on Instagram on your mobile? All those photos of you toting bottles of liquor may be interpreted as you having a risky lifestyle.

Search engines can track browsing histories, car devices can track speed and wristbands determine our fitness levels.

Welcome to the world of big data i.e. the collection, analysis and generation of sets of structured and unstructured metadata in a volume that falls outside traditional forms of collection and storage.

Why is big data such a big deal?

For businesses, big data can be a veritable gold mine. This information can be used to tailor, identify and target new customers and markets while simultaneously reducing the need to rely on traditional marketing methods, thus reducing costs and increasing profits.

But what is  this seemingly arbitrary information? For public and private sector alike, this is a tricky issue. While this data can often be anonymised, at what point does it cross over into 'personal information'? Past the dotted line, this information becomes subject to the Privacy Act 1988.

With the scope of big data ever changing, Australian businesses need to be aware of the regulatory boundaries within which they must operate and how the goalposts are moving.

Who is using big data and why?

Big data is used across the gamut of industries. Businesses no longer need to rely on intermediaries to gather information and identify trends in market behaviour anymore.

In Australia, Woolworths collects customer data from its various product lines and uses it for marketing and pricing purposes. In 2013, Woolworths used combined data from its insurance arm and customer rewards cards to determine that customers who regularly purchased milk and red meat were lower risk than those who purchased pasta and rice, filled up petrol at night, and drank spirits. With the tools of data analytic company Quantium (in which Woolworth's owns 50 per cent ), Woolworths is identifying customer trends and using this information to tailor their product to the needs of customers.

Tesco (in the UK) offers discounts on home and car insurance on the basis of spending habits and Aviva (also in the UK) uses residential information to price home insurance, correlating a home's proximity to the street and cinemas with its probability of being robbed. Various car insurance companies, such as Allstate and Progressive, are recommending the use of tracking devices to monitor a driver's speed, distance, break pressure and time of day travelled to in turn offer reduced premiums for 'safer' drivers.

Regulatory concerns regarding big data use in Australia

So with a surge in the collection of such seemingly arbitrary information and the increase in the level of information being held about us, do businesses recognise what this data truly is?

Are our daily habits, movements or our routine actions now becoming 'personal information' for the purposes of the Privacy Act? Is the way one drives encompassed? Where we travel? The speed we drive? The food we buy? The suburb we live? Does an amalgamation of all this data enable an organisation to identify an individual?

If this is the case, then the use of big data and the evolving collection of new forms of data on individuals means that the true scope of 'personal information' goes beyond that specifically prescribed in the Privacy Act and raises concerns as to whether those companies using big data truly understand how to operate within the law.

A big issue is the question of consent – has it been given and is it reasonable for a company to collect information without explicit consent?

The Office of the Australian Information Commissioner had indicated that broad and open-ended approaches for collecting consent may not be regarded favourably in an audit. Generic clauses such as, 'we may choose to use your data to improve our services over time', may not be acceptable, nor will un-transparent, 'clickwrap', bundled or standard form contracts (often seen in the US) suffice.

Of particular importance is that the Privacy Act now has a 'privacy by design' type approach which imposes obligations on businesses to design and implement suitable practices, to ensure protection of the personal information it collects, manages, uses, handles and discloses.

This shifts the onus onto businesses to implement and keep their systems updated to ensure that they adapt and react to fast-evolving technology and then need to handle and process any information that could be personal information in the appropriate manner.

Privacy Act – possible future influence from 'right to be forgotten' ruling

Another hot topic is the destruction of personal information, or the “right to be forgotten”. A recent ruling by the European Court of Justice (ECJ) now requires 'Data controllers' in the EU, which includes search engines, to allow users to remove information which is "inadequate, irrelevant or no longer relevant, or excessive in relation to the purposes for which they were processed and in the light of the time that has elapsed".

In the UK, the House of Lords home affairs, health and education sub-committee recently issued strong commentary against the ECJ judgement, deeming it "wrong in principle" and "unworkable in practice". Whether Australian courts or legislature will echo this in regards to internet servers or align with the EU or the UK approach remains to be seen, though privacy and online freedom of expression will no doubt be primary considerations for the Australian courts in the near future.

When does the use of big data cross the discrimination line?

Finally, companies using big data need to toe the line between differentiating between target customers to create new markets and acting in a way that is deemed discriminatory.

Australian Commonwealth and State anti-discrimination laws make it unlawful to discriminate against individuals based on various grounds including age, race, sex, pregnancy, marital status and disability.

Where a company differentiates its product offerings or prices based on trends it has identified using big data, it must ensure that any differentiation is backed by analysis, which justifies its different offerings. Otherwise, the risk of a discrimination claim being made under Commonwealth and State law increases dramatically.

If companies want to ensure big data isn't a big issue, then they must ensure they are equipped to navigate the potential regulatory minefield.

Dean Carrigan, Partner and privacy specialist at the law firm Clyde & Co,  and John Gallagher, senior associate