Privacy and Information Governance Challenges in the Age of Big Data

PART IIKateri-Anne GrenierPartnerNorton Rose Fulbright Canada LLP October 26th, 2014

SUMMARY

I. Introduction

A. Definition

B. Did you know?

II. Big Data Breach Issues

A. Review of key principles

B. Adequacy of the legal framework?

1. Volume Issues

2. Data Use

III. Litigation and Evidentiary ChallengesA. ESI / E-discovery Definitions

B. ESI / E-discovery Issues

1. Canada2. USA3. EU

IV. Advising on Management of Big Data

A. Retention

B. Preservation

C. Destruction

2 of 16

INTRODUCTION

3 of 16

A. Definition:

Big Data: Extremely large data sets that may be analysed computationally to reveal patterns, trends, and associations, especially relating to human behaviour and interactions.

(Oxford Dictionary)

Introduction

4 of 16

Introduction• “In the third century BC, the Library of Alexandria was believed to house

the sum of human knowledge. Today, there is enough information in the world to give every person alive 320 times [what] historians think was stored in Alexandria’s entire collection” (Cukier and Schoenberger)

• If all this information was placed on stacked up CDs, it would form 5 separate piles that would all reach to the moon

• Only 10% of the existing information on a person is actually created by this person. The other 90% emanates from credit records, surveillance images, analytics on behavior, web-use histories, etc.

• 1 million customer transactions per hour feed into Wal-Mart’s databases, which is more data than held by America’s Library of Congress multiplied by 167

• TJX was required to pay $250 million following a Big Data breach

.

5 of 16

B. Did you know …

I. BIG DATA BREACH ISSUES

6 of 16

I. Big Data Breach Issues (New Privacy Challenges Arising Out of Big Data)

A. Review of key principles

• Consent: knowledge and consent of the individual required for the collection, use, or disclosure of PI, except where inappropriate

• Identifying Purposes: purposes for which PI is collected shall be identified at or before the time the information is collected

• Limiting Collection: PI collection limited to what is necessary for its purposes

• Limiting Use, Disclosure, and Retention: PI not to be used/disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. PI to be retained only as long as necessary

• Openness: specific information to be made to individuals about an organizations’ policies and practices relating to the management of PI

• Safeguards: PI protected by security safeguards appropriate to the sensitivity of the information

• Individual Access: Upon request, an individual shall be informed of the existence, use, and disclosure of his/her PI and shall be given access to it

7 of 16

I. Big Data Breach Issues (New Privacy Challenges Arising Out of Big Data)

B. Adequacy of the legal framework?

1. Volume Issues

Limiting Collection:

– Limitless collection possible. Many companies tempted to collect more and more. Cheaper to stash than sort

– Tremendous amount of collected data makes breaches difficult to be detected.

– Serious breach costs and consequences (financial, reputational, legal, etc.) – e.g. TJX USA

Openness:

– Assuring individuals access to their PI can be extremely difficult with extremely large amounts of data without proper information management

– It is becoming difficult to explain to data subjects in a simple and clear way the technicalities behind the use of PI

8 of 16

B. Adequacy of the legal framework?

2. Data use issues

Limiting Use, Disclosure, and Retention:

- Predictive analytics: Big Data can be used to predict our intentions and our future behaviors

- Organizations may be tempted to use collected Big Data for predictive analytics beyond its intended collection purposes and retention periods e.g. pregnancy-prediction algorithm, Airline passenger lists

- Big Data collected for potential but unclear uses which may not be in accordance with the limited use, disclosure and retention principles set out in the law and/or in the company’s privacy policy

Consent:

- Organizations may struggle to provide data subjects basic understanding on how personal information will be used in order to gain informed consent

- The wording of consents doesn’t always reflect the eventual use of the PI (e.g. ‘for marketing purposes’ v. predictive analytics)

9 of 16

I. Big Data Breach Issues (New Privacy Challenges Arising Out of Big Data)

II. LITIGATION AND EVIDENTIARY CHALLENGES

10 of 16

A. Definitions:

ESI: Electronically Stored Information, refers to all information stored in computers and storage devices (E-mail, voicemail, instant and text messages, databases, metadata, digital images, etc.)

E-discovery: Obligation parties to a trial have to exchange electronic documents (e-mails, messages, e-calendars and various data)

II. Litigation and Evidentiary Challenges

11 of 16

II. Litigation and Evidentiary Challenges

B. ESI / E-discovery Issues

•Big Data involves a significant increase in all of the risks associated with the protection of privacy (reputational, operational, financial, legal, etc.)

•The more Big Data that a party holds, the more information it might be obligated to communicate to another party in the course of litigation

•Amassing vast quantities of data can give rise to e-discovery risks in relation to such data e.g. Adverse parties request for disclosure of non-filtered Data in its entirety

1. Canada

– Few cases related to Big Data due to overarching private sector privacy law

• USA

Research

– Large volume of data and misspelled information makes traditional and key word searches less useful

– ESI custodians required for dealing with document requests

– Predictive coding techniques commonly used in the US: Selection of a group of documents (seed set) considered relevant. Predictive coding tools analyze these documents’ text in order to find other files of the same type. See: Da Silva Moore v. Publicis Group (first US judicial decision to endorse predictive coding)

12 of 16

II. Litigation and Evidentiary Challenges

B. ESI / E-discovery Issues

Costs

– ESI searching in e-discovery involves a significant and wasteful cost to companies that need to produce thousands of documents in court files (e.g. search time, outsourcing to experts, etc.)

Race Tires America, Inc. v. Hoosier Racing Tire Corp.; Dirt Motor Sports, Inc (2012): E-discovery production costs not to be passed to other party

Mancia v. Mayflower Textile Servs. Co. (2008): Cooperation between parties is to be encouraged

Pippins v. KPMG LLP (2012): Cooperation with other party over scope of collection would have led to lower costs

3. Europe

– A 60,000 person class action has been lodged against Facebook for violations of European Privacy laws (non-existent in the U.S.). Plaintiffs wish to force Facebook to be more transparent with their use of personal data

– 1,222 pages of information collected by Facebook on one individual

– Max Schrems, ‘Fight for your Data!’

13 of 16

III. ADVISING ON MANAGEMENT OF BIG DATA

14 of 16

III. Management of Big Data According to PCOCataA. Retention

Clearly define information collection purposes (marketing, client lists, etc.) Restrict information collection to what is reasonably necessary for these defined purposesRelate collected information to an activity

B. Preservation

Create policies to address the whole lifecycle of a collected data (from collection to destruction)

Properly manage data so that individuals can have access to their personal information

Provide a clear explanation of how people can obtain access to their personal information held by your organization, and how they can request correction or deletion of this information

Structure your privacy policies for ease of reference: be transparent

Ensure that your employees are aware of data breach consequences

C. Destruction

Set retention periods for each type of information and/or document

When creating such periods, consider document format, information purposes, risks of retention and legislative requirements

Create a policy for irreversibly destroying data so that information reconstruction or recovery will be impossible

Use deleting methods that resist simple recovery methods

15 of 16

Thank you !