Ethical Implications of Personal Data Usage from Corporations

Beatriz Alonso

d&a blog

Just two months ago, Facebook’s CTO Mike Schroepfer acknowledged in a statement that “the data of more than 87 million people could have been shared inappropriately with Cambridge Analytica.” Cambridge Analytica abused the possibilities offered by the social platform creating personality profiles based on that data stolen from the platform. This data was allegedly used to influence the outcome of Donald Trump’s presidential campaign. The profiling technique analyzed the voter as a consumer of a product (the candidate), and therefore the “product” could be adapted based on personality profiles generated with user data.

That Facebook and other applications that we use daily use our data for commercial purposes is nothing new, the problem lies in how third party agents can use various data sources for unethical purposes. Many social networks offer the possibility to segment audiences based on preferences that the user has marked, but also using insights drawn from activity information. Recent events have reopened at Facebook and elsewhere the debate about responsible use of data, and the necessary protection of data.

This Friday, May 25, the General Regulation of Data Protection of the European Union (GDPR) will come into force, giving European citizens more control over how their personal data is used. By reinforcing data protection legislation and introducing stricter enforcement measures, the European Union hopes to improve confidence in the emerging digital economy.

What is personal data?

Personal data is any information related to a natural person, identified or possibly identifiable (directly or indirectly). The European Union has substantially expanded the definition of personal data in the framework of the GDPR, and for example online identifiers or IP addresses are now considered personal data, as well as economic, cultural or mental health information, are also considered as information personal identification.

When we speak of anonymized data, we are talking about data, which for its later analysis, have been treated in a way that does not reveal identity, although in some cases, also considered in the framework of the GDPR, anonymized data or a set of anonymized data could eventually reveal an individual’s identity.

GDPR’s main principles

Article 5 of GDPR establishes the principles that must be followed in data processing. Many of these principles directly affect the processing of Big Data, and even before, the methods of data collection and retention.

The principles are the following:

a) Legality, fairness and transparency: Often, users are not fully informed and are not in a position to correctly understand the privacy policy of the services (for example, the apps) that collect their personal data. The individual must, among other things, be in a position to easily access information relating to their data, contact the person responsible for data protection and know the methods and purposes of the treatment.

b) Limitation of the purpose: The person who collects the data must inform the interested party of the purposes for which the data is collected. Subsequently, personal data may only be processed for purposes agreed on, and may not be used for purposes other than those reported.

c) Data minimization: Only personal data that is necessary for the informed purposes can be collected. That is, personal information can not be collected if it is not closely related to those purposes. The goal is to limit the amount of personal data processed to a minimum.

d) Accuracy and updating: The data must be updated and rectified constantly in case of request by the person concerned.

e) Storage limitation: The data can only be kept for the time necessary for its treatment. They can be stored for longer periods of time, to the extent that personal data are processed solely for archival purposes in the public interest, for scientific or historical research purposes or for statistical purposes.

f) Integrity and confidentiality: The data controller must ensure adequate security of personal data through appropriate technical and organizational measures, including protection against unauthorized or illegal treatment, and against loss, destruction or accidental damage.