Businesses are gathering more and more data and while the use of big data may bring financial rewards for the companies, it also brings with it an increased regulatory regime. Mr John Gallagher and Ms Brittany Guilleaume from Clyde & Co, Australia, discuss the regulatory landscape in Australia which governs the use of such data and the questions and issues companies must address to ensure it does not become a big issue
Means of data collection are infinite and omnipresent. As leisure and commerce have moved online and communications can be recorded through our phones, cars and even our glasses, life can be monitored and recorded in a manner previously incomprehensible.
Supermarkets can track purchases through customer rewards cards, social networking sites can reveal risky or unhealthy lifestyles, search engines can track browsing histories, car devices can track speed and wristbands determine our fitness levels.
What is big data and how is it used?
Welcome to the world of big data ie the collection, analysis and generation of sets of structured and unstructured metadata in a volume that falls outside traditional forms of collection and storage.
An international surge in the use and trade of big data in recent times indicates that it offers lucrative possibilities in the aggregate, particularly for businesses focused on sales, and including insurance and reinsurance companies and financial institutions.
But while the use of big data may bring financial rewards, it also brings with it an increased regulatory regime. With the scope and application of big data ever changing, Australian companies need to be aware of the regulatory boundaries within which they must operate when using big data and be vigilant as to the true nature of the information they are collecting and using.
At what point does seemingly anonymous information become big data? At what point does big data become “personal information” and subject to the Privacy Act 1988 (Cth)? Is this information being managed in accordance with the Act or is it possibly being used in a discriminatory manner? These are important questions that must be asked and issues that must be addressed to ensure that big data does not become a big issue.
Who is using big data and why?
Organisations across a range of industries are using big data to tailor, identify and target new and unique markets in a manner designed to reduce costs and increase efficiency, profit and turnover.
In particular, businesses who would traditionally have relied on intermediaries to gather information on and identify trends in market behaviour (such as insurers and reinsurers) are now mining the warehouses of data they collect and hold to produce similar results, reducing the need to rely on the intermediary.
Climate Corporation (formerly known as WeatherBill) is a weather insurance underwriter that used free data from the National Weather Service to price and market tailored insurance products to weather dependent industries, such as those involved in tourism, aviation and agriculture. Alongside these insurance products, the company produces data on optimal planting, maturity and harvest dates, appropriate pest management levels and other geographical and soil information for affected farmers.
Closer to home, Woolworths collects customer data from its various product lines (supermarket, petrol, liquor, gambling, credit, mobile, insurance) and uses it for marketing and pricing purposes. In 2013, Woolworths used combined data from its insurance arm and customer rewards cards to determine that customers who regularly purchased milk and red meat were lower risk than those who purchased pasta and rice, filled up petrol at night, and drank spirits. Woolworths shares this information with data analytic company Quantum (in which Woolworth’s owns 50%) who packages and sells this information to other companies.
Some insurers use data to price premiums
Tesco (in the UK) offers discounts of up to 30% on home and car insurance on the basis of spending habits and Aviva (also in the UK) uses residential information to price home insurance, correlating a home’s proximity to the street and cinemas with its probability of being robbed.
Various car insurance companies, such as Allstate and Progressive, are recommending the use of tracking devices to price premiums to monitor a driver’s speed, distance, break pressure and time of day travelled to in turn offer reduced rates for “safer” drivers.
Regulatory concerns regarding big data use in Australia
So with a surge in the collection of such seemingly arbitrary information and the increase in the level of information being held about us, do businesses recognise what this seemingly arbitrary data truly is? Is it an asset of the business that is capable of being quantified and booked? Does the business truly own the data? Are our daily habits, movements or our routine actions now becoming “personal information” for the purposes of the Act? Is the way one drives encompassed? Where they travel? The speed they drive? The food they buy? The suburb they live? Does an amalgamation of all this data enable an organisation to identify an individual?
If this is the case, then the use of big data and the evolving collection of new forms of data on individuals means that the true scope of “personal information” goes beyond that specifically prescribed in the Privacy Act 1988 (Cth) and raises concerns as to whether those companies using big data truly recognise the key regulatory regimes within this they must operate and how such information must be handled.
As businesses gather more and more data, it becomes increasingly important to analyse that data and to consider whether it alone or together with other information held by the company could constitute personal information for the purposes of the Act.
What is “Personal Information”?
The Privacy Act, through the “Australian Privacy Principles” (the APPs), regulates the collection, storage, use, disclosure, and destruction of personal information. Personal information is defined as “information or an opinion, whether true or not, and whether recorded in a material form or not, about an identified individual, or an individual who is reasonably identifiable”.
The Act also governs sensitive personal information (which is information or an opinion about an individual’s racial or ethnic origin, political opinions, membership of a political association, religious beliefs or affiliations, philosophical beliefs, membership of a professional or trade association, membership of a trade union, sexual orientation or practices, criminal record).
Companies wishing to leverage cloud technologies and use big data as part of a business strategy should be aware of the key requirements of the Act, including:
• The privacy by design approach;
• The requirements relating to notification and collection of personal information;
• The provisions relating to the disclosure of personal information (including off-shore); and
• The requirements relating to destruction and de-identification of personal information.
Privacy by design approach
Has an individual given consent to the collection or use of its personal information for a particular purpose? Would it be reasonable for a company to collect or use personal information relating to an individual without the data subject’s consent?
The Privacy Commissioner had stated that broad and open-ended approaches for collecting consent will not be regarded favourably in an audit. Generic clauses such as, “we may choose to use your data to improve our services over time”, may not be acceptable, nor will un-transparent, “clickwrap”, bundled or standard form contracts (often seen in the US) suffice.
Of particular importance is that the Act introduces a “privacy by design” approach which imposes positive obligations on all businesses to design and implement suitable practices, procedures and systems to ensure protection of the personal information it collects, manages, uses, handles and discloses.
By shifting the onus to implement adequate systems onto businesses, the Privacy Commissioner’s aim seems to be to place the responsibility on businesses to keep updated and to ensure that their systems are adequate to handle any information that could be personal information.
With the form, nature and structure of data changing at such a rapid pace, businesses need to carefully assess the true nature of their big data and to ensure that if that data could constitute personal information for the purposes of the Act, that their systems process such data in the same way as those systems process personal information.
Privacy Act – Possible future influence from ECJ “right to be forgotten” ruling
Managing the destruction of personal information has been the subject of recent European legal debate after the ECJ’s “right to be forgotten” ruling.
“Data controllers” in the EU, which includes search engines, are now required by request of a given user to remove information which is “inadequate, irrelevant or no longer relevant, or excessive in relation to the purposes for which they were processed and in the light of the time that has elapsed”.
In the UK, the House of Lords home affairs, health and education sub-committee recently issued strong commentary against the ECJ judgement, deeming it “wrong in principle” and “unworkable in practice”.
Whether Australian courts or legislature will echo this judgement in regards to internet servers or align the APPs with the EU or the UK approach remains to be seen, though privacy and online freedom of expression will no doubt be primary considerations for the Australian courts.
When does the use of big data cross the discrimination line?
Finally, companies using big data need to be cognisant of the risks associated with differentiating between target customers with a view to creating new markets – in particular the risk that in doing so, the company may be acting in a way that is deemed to be discriminatory.
Australian Commonwealth and State anti-discrimination laws make it unlawful to discriminate against individuals based on various grounds including age, race, sex, pregnancy, marital status and disability.
Where a company differentiates its product offerings based on trends it has identified using big data, it must ensure that any differentiation is backed by analysis which justifies its different offerings.
The absence of any such analysis can lead to a discrimination claim under the relevant Commonwealth and State laws.
To mitigate the risk of such claims, companies using big data should ensure that the trends identified in its big data are not vague or unsupported and are such that they can justify their reasons for developing bespoke products or for charging different prices.
Companies also need to be cognisant of the need to carefully and securely store and manage such analysis, in particular in light of the provisions of the Privacy Act.
Mr John Gallagher is a Senior Associate and Ms Brittany Guilleaume is a Law Graduate, both at Clyde & Co, Australia.