The international core principles of data protection, including lawfulness, fairness, purpose-specification and –limitation – should be the cornerstone in any data protection regulation.
The purpose of data protection is to ensure that personal data is protected and it should avoid obstructing the development of new services. Therefore, the international core principles should be applied flexibly. News reports may have highlighted cases where the principles have not been satisfactorily followed by specific businesses or instances where consumers have had bad experiences. While it is tempting to introduce more specific rules when confronted with such cases, policy making should be based on solid evidence, identifying a minimum and proportionate level of protection, and avoiding rules that undermine the potential of existing and future technologies.
A legal framework must be flexible enough to fit low- and high-trust relationships. It should also allow the market to reward companies that innovate and give consumers the treatment they desire. For example, companies with ambitions to offer high value added services based on artificial intelligence will need to build trust by being very transparent and relying on specific consent to process data. Over time, consumers will want the trusted companies to rely more on ‘legitimate interest’ as a legal basis where they are not unnecessarily asked for permission to process data. This means the purposes in this instance should be ‘compatible’ with the purposes for which data has been collected. Accordingly, a framework should have flexibility to use both consent and legitimate interest as the legal basis.
Three elements are important to develop a future proof framework that will unleash the potential value of big data analytics:
It should in principle be lawful to process personal data where it is necessary for the purpose of the legitimate interests pursued, except where such interests are overridden by the interests or fundamental rights and freedoms of the consumer which require protection of personal data, in particular where the consumer is a child.
No rule should exist to prevent personal data collected for a specific purpose from being processed for a different but compatible purpose. Drawing a distinction between learning correlations in data and applying learned correlations to impact individuals, identifying correlations should in general, with appropriate measures in place, be considered a processing for a compatible purpose.
Lawfulness should be based on facts of the case, and the analysis should consider the reasonable expectations of the consumer, the context in which the personal data has been collected, nature of the personal data, consequences of the processing for the data subject, and the existence of appropriate safeguards such as encryption.
Collectively, these elements embody a risk-based approach and allow companies flexibility to introduce and adapt relevant and sufficient data protection measures. For example, it may be possible to reach an acceptable level of risk if a safeguard such as pseudonymisation is introduced to conceal the identity of the individual to the people analysing the data.