i
APPRAISAL OF THE EUROPEAN DATA
PROTECTION FRAMEWORK WITH RESPECT
TO THE USE OF BIG DATA FOR MARKETING
PURPOSES
Cédric De Smet
Stamnummer: 01301575Promotor: Prof. Dr. Wim Hardyns
Commissaris: Thom Snaphaan
Masterproef voorgedragen tot het bekomen van de graad van:
MASTER IN DE RECHTEN
iv
Acknowledgments
After six eventful years at UGent the time has come to conclude my academic journey and start a new chapter. It has been an exciting ride full of learning and friendship and but also disappointment, confrontation and at times sadness. Nevertheless, despite the sky not always being as blue as one would like, I truly had an amazing time and it made me the person I am today. It goes without saying that I did not take on this journey all by myself. Therefore, I would like to give special thanks to people without whom it would not have been possible.
First and foremost, I want to offer my sincerest gratitude to my parents for their unconditional support and love during my University years (also the food and financial contributions were great). Second, I want to thank my promotor, professor Wim Hardyns for giving me the opportunity to write about an issue that truly sparked my interests. In addition, I am genuinely grateful for the feedback, inspiration and insights given to me by my supervisor Thom Snaphaan and professors Eva Lievens, Willem Debeuckelaere and Gert Vermeulen. Thirdly, I want to thank my best friends, Bart Van Heesvelde, Charles Dardenne and Jules Goossens for always being there when I needed a sympathetic ear. Last but not least I would like to thank Lise. While things do not always turn out the way we want them to, I would not have pursued this subject without her.
Undoubtedly, the conclusion of this dissertation is one of my most significant achievements thus far, and although I sometimes felt like launching my laptop against the wall, I had not dared to dream of learning so much about a subject so pertinent. This thesis is based on the idea that some of the core principles of data protection no longer seem compatible with data processing in the age of big data and explores, to a certain extent, an alternative approach. Opinions hereon will undoubtedly be divided, nevertheless, I hope to have contributed to the legal debate on this matter and that this research proves to be as interesting and thought-provoking for its readers as it was for me to write.
Thank you all.
Enjoy reading.
v
Permission
Ondergetekende verklaart dat de inhoud van deze masterproef mag geraadpleegd en/of gereproduceerd worden voor persoonlijk gebruik. Het gebruik van deze masterproef valt onder de bepalingen van het Belgische auteursrecht en bronvermelding is steeds noodzakelijk.
The undersigned declares that the contents of this dissertation may be consulted and/or reproduced for personal use. The content of this dissertation is protected by Belgian copyright law, due acknowledgment is required.
Naam student/name student: Cédric De Smet Handtekening/signature;
vii
Table of Contents
ABSTRACT________________________________________________________________________1 RESEARCH METHODOLOGY __________________________________________________________5 CHAPTER ONE: BIG DATA AND ITS APPLICATIONS IN MARKETING ___________________________7 1.1 SCOPE ____________________________________________________________________7 1.2 WHAT IS BIG DATA? __________________________________________________________7 1.2.1 Definition ________________________________________________________________7 1.2.2 Distinctive elements ______________________________________________________10 1.2.2.1 Volume _____________________________________________________________11 1.2.2.2 Velocity _____________________________________________________________12 1.2.2.3 Variety _____________________________________________________________12 1.2.2.4 Veracity ____________________________________________________________13 1.2.2.5 Value _______________________________________________________________13 1.2.2.6 Technical Computation ________________________________________________14 1.3DIRECT MARKETING ____________________________________________________________15 1.3.1 Introduction _____________________________________________________________15 1.3.2 Behavioural advertising ____________________________________________________15 1.3.2.1 Actors ______________________________________________________________16 1.3.2.2 Tracking technology ___________________________________________________17 1.3.2.3 Profiles _____________________________________________________________18 1.4CONCLUSION _________________________________________________________________20
CHAPTER TWO: KEY PROVISIONS OF EUROPEAN DATA PROTECTION _______________________21 2.1SCOPE ______________________________________________________________________21 2.2EUROPEAN DATA PROTECTION LEGISLATION AND THE DATA PROTECTION DIRECTIVE _________________21 2.3GENERAL DATA PROTECTION REGULATION _____________________________________________24 2.3.1 Introduction _____________________________________________________________24 2.3.2 Principles of data protection under the GDPR ___________________________________25 2.3.2.1 The Principle of Lawfulness, Fairness and Transparency _______________________25 2.3.2.2 The Principle of Purpose Limitation _______________________________________31 2.3.2.3 The Principle of Data Minimisation _______________________________________32 2.3.2.4 The Principle of Accuracy _______________________________________________34 2.3.2.5 The Principle of Storage Limitation _______________________________________35 2.3.2.6 The Principle of Integrity and Confidentiality (or Data Security Principle) _________35 2.3.3 The Requirement of Accountability ___________________________________________37 2.3.4 Profiling and automated individual decision-making under the GDPR ________________39 2.3.4.1 Definitions __________________________________________________________39 2.3.4.2 General provisions on profiling and automated decision-making ________________41 2.3.4.3 Article 22 General Data Protection Regulation ______________________________44 2.3.5 Enforcement and sanctions under the Regulation _______________________________46 2.3.5.1 Independent supervisory authorities ______________________________________47
viii 2.3.5.3 European Data Protection Board (the ‘Board’) ______________________________47 2.3.5.4 Remedies, liability and penalties _________________________________________48 2.3.5.4 In practice ___________________________________________________________49 2.4THE RELATIONSHIP BETWEEN THE GDPR AND EPRIVACY LEGISLATION ___________________________52 2.4.1 Cookies ________________________________________________________________52 2.4.2 Direct marketing _________________________________________________________57 2.5THE PROTECTION OF A CHILD’S DATA UNDER THE GDPR ____________________________________59 2.5.1 Definition of a child _______________________________________________________59 2.5.3 Lawfulness of processing ___________________________________________________60 2.5.3 Transparency ____________________________________________________________63 2.6CONCLUSION _________________________________________________________________64
CHAPTER THREE: DATA PROTECTION VS BIG DATA MARKETING ___________________________65 3.1SCOPE ______________________________________________________________________65
3.2THE PROBLEMS ________________________________________________________________66 3.2.1 Is purpose limitation limiting possibilities? _____________________________________66 3.2.1.1 Purpose limitation and data minimisation collide with societal reality ____________66 3.2.1.3 Purpose limitation in marketing __________________________________________69 3.2.2 Consent: effective control or ‘mechanical proceduralism’? ________________________70 3.2.2.1 I consent to… what exactly? _____________________________________________70 3.2.2.2 Consent in marketing __________________________________________________72 3.3THE – POSSIBLE – SOLUTIONS ______________________________________________________75 3.3.1 Legitimate interests test ___________________________________________________75 3.3.1.1 Criticism ____________________________________________________________75 3.3.1.2 Legitimate interests applied towards the issue of special categories _____________77 3.3.1.3 The legitimate interests approach in practice _______________________________79 3.3.2. Transparency, control and privacy by design ___________________________________82 3.4CONCLUSION _________________________________________________________________88
CONCLUDING REMARKS ___________________________________________________________89 BIBLIOGRAPHY ___________________________________________________________________92
ix
1
Abstract
“Big data is the new oil”
The question arises whether Clive Humby1 foresaw how extraordinary accurate his statement turned out to be when he first uttered these famous words back in 2006. Big data refers to the algorithmic2 analysis of vast digital datasets to identify trends and correlations, which can be applied to advance the efficiency of certain goods and services. Consider the notion ‘vast’; to put it into perspective, there are 2.5 quintillion (that is a ten with eighteen zeros behind it) bytes of data created every day.3 While it is almost impossible to wrap your head around this number, the following statistics might help illustrate the enormous scale of day-to-day data-creation: 90% of all data has been created in the last two years4, 4.1 billion humans use the Internet every day, 2.3 billion of which are active on Facebook; every minute 2.4 million Google-searches are processed, 456.000 tweets are sent; 46.740 photos are posted on Instagram, 300 minutes of footage are uploaded to YouTube, 527.760 photos are shared through Snapchat and 156 million e-mails are sent.5 Immediately, it is evident that there is no shortage of the raw material needed to extract value from data analytics. The ambitious statements of private undertakings and policy documents published by governments often refer to the new opportunities introduced by big data analytics and, as such, the concept has been accompanied by a great deal of hype. Nevertheless, for some time already, it has become evident that the multi-billion-dollar data industry has outlived the hype, and is here to stay.6
Globalisation and the rise of big data-based business models have contributed to the unbridled collection and processing of personal data, more often than not without any
1 Clive Humby is the Chief Data Scientist and Executive Director of Starcount Ltd and is responsible for
numerous breakthroughs in market segmentation and marketing. In addition, he is a professor at the University of Chicago where he teaches Integrated Marketing.
2 An algorithm can be described as a step-by-step procedure for calculation, data processing, evaluation and
automated reasoning and decision-making. Source: EUROPEAN UNION AGENCY FOR FUNDAMENTAL RIGHTS (FRA), Handbook on European data protection law – 2018 edition, Luxemburg, Imprimerie Bietlot, 2018, 351. (Hereafter: FRA, Handbook on European data protection law 2018).
3 B. MARR, “How Much Data Do We Create Every Day? The Mind-Blowing Stats Everyone Should Read”,
Forbes 2018,
https://www.forbes.com/sites/bernardmarr/2018/05/21/how-much-data-do-we-create-every-day-the-mind-blowing-stats-everyone-should-read/#76f0f0ed60ba.
4 IBM MARKETING CLOUD, “10 Key Marketing Trends for 2017 and Ideas for Exceeding Customer
Expectations”, IBM 2016. Available at: http://comsense.consulting/wp-content/uploads/2017/03/10_Key_Marketing_Trends_for_2017_and_Ideas_for_Exceeding_Customer_Expecta tions.pdf.
5 X, “Data Never Sleeps 5.0”, Domo 2017,
https://web-assets.domo.com/blog/wp-content/uploads/2017/07/17_domo_data-never-sleeps-5-01.png.
6 IDC MEDIA CENTER, “IDC Forecasts Revenues for Big Data and Business Analytics Solutions Will Reach
$189.1 Billion This Year with Double-Digit Annual Growth Through 2022”, IDC 2019, https://www.idc.com/getdoc.jsp?containerId=prUS44998419.
2 consideration as to the possible implications thereof.7 These developments induced growing discontent amongst the public concerning the security of personal data and precipitated the need for a new legal framework addressing data protection in the European Union. Hence, on 25 May 2018, the long-overdue General Data Protection Regulation8 (hereafter: GDPR) entered into force. The Regulation’s overall objective is to ensure a high level of protection of personal data and facilitate the free flow of said data9 by harmonising the European data protection legislation.10 The 25th of May 2018 should have also marked the coming into force of the ePrivacy Regulation11; legislation designed to ensure the protection of user privacy when data is being communicated electronically. Replacing the ePrivacy Directive (ePD)12, this regulation would act as the new lex specialis13 on electronic communication in respect of the GDPR. However, despite the European Parliament adopting the proposal in October 2017, continual roadblocks from lobbyists have it bogged down in the Council of Ministers ever since.14 As a result, regarding electronic communication, cookies and direct marketing, the nationally transposed provisions of the ePrivacy Directive continue to exist next to the GDPR. Although the GDPR is most likely the most comprehensive and forward-looking piece of legislation regarding data protection in the digital age15, questions have arisen as to the compatibility of its core principles and the requirements for modern and efficient applications of big data. For one, the principle of purpose limitation stated in Article 5, 1,
(b) GDPR allows data to be collected for specific, explicit and, legitimate purposes. Additionally, this data cannot be further processed in a manner incompatible with those purposes. Big data analytics, on the other hand, implies the collection of large volumes of data, the purpose of which is not always known to data subjects (nor to the data controller,
7 E. LIEVENS and V. VERDOODT, “Looking for needles in a haystack: Key issues affecting children’s rights
in the General Data Protection Regulation”, Computer Law & Security Review 2018, vol. 34, (269) 269. (Hereafter: LIEVENS 2018).
8 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection
of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, Official Journal L 119/1, 4 May 2016. (Hereafter GDPR).
9 Recital (9) GDPR.
10 O. AJIBADE, “A Critical Appraisal of Big Data Analytics within the General Data Protection
Regulation (GDPR) Landscape”, Tilburg Institute for Law, Technology and Society (TILT) 2018, 8. (Hereafter: AJIBADE 2018).
11 Proposal for a Regulation of the European Parliament and of the Council concerning the respect for private
life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications), European Commission 2017. (Hereafter: Proposal ePrivacy Regulation).
12 Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the
processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), Official Journal L 201/37, 31 July 2002. (Hereafter: ePD)
13 The lex specialis-doctrine states that if two laws govern the same factual situation, a law governing a specific
subject matter (lex specialis) (in this case the ePrivacy Regulation which only applies to electronic communications) overrides a law governing only general matters (lex generalis) (the GDPR, whose area of application covers the processing of personal data in general). Commentary to Trans-Lex Principle, https://www.trans-lex.org/910000.
14 S. VOGEL and D. WALKER, “ePrivacy Regulation: What is it and how does it affect me?”, ITPRO 2019,
https://www.itpro.co.uk/privacy/32712/eprivacy-regulation-what-is-it-and-how-does-it-affect-me, D. THOMAS, “ePrivacy Regulation continues to stall, but there's hope?”, iapp 2019, https://iapp.org/news/a/eprivacy-regulation-continues-to-stall-but-theres-hope/.
15 T. Z. ZARSKY, “Incompatible: The GDPR in the Age of Big Data”, Seton Hall Law Review 2017, vol. 47,
3 for that matter).16 To comply, entities engaging in big data analytics should inform the concerned data subjects of all future processing and closely monitor their practices to assure they did not exceed the boundaries of the specified purpose, a task that, considering the immense scale of the operation, might prove very difficult, if not impossible.17 Or consider the principle of data minimisation (Article 5, 1, (c) GDPR) under which personal
data may be collected if the data is adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed; this is in stark contrasts with the apparent incentive for commercial entities to collect and retain as much data as they can and store it for as long as possible.
Due to the inherent complexity of the matter at hand, the scope of this discussion will be limited to the legal implications regarding the use of ‘big data’ and its application in advertising in the European Union. Although this development does not pertain to all problems associated with the use of personal data, it is highly illustrative of the evolution thereof. In the marketing sector, extensive analysis of customer behaviour (both off- and online) has provided for new and better insights into consumer habits at the expense of privacy and control. The main objective of this thesis is to assess to what extent the use of big data analytics for marketing purposes is compatible with the principles of European data protection legislation. To answer the central question, the following sub-questions will be explored:
- What are the elements and features of big data analytics and how do they relate to modern marketing strategies; in particular the use of tracking technologies (e.g. cookies), profiling and automated decision-making for the purpose of direct marketing?
- What are the core principles of the GDPR? Where does the GDPR stand on direct marketing, behavioural advertising, profiling and automated decision-making? - What is the relationship between the GDPR and ePrivacy legislation?
o Assessment of the relevant provisions on consent, direct marketing and tracking technology.
o What changes are put forward by the proposed ePrivacy Regulation? - How are the elements of big data analytics compatible with the current legal
framework? Rather than ask whether the provisions of the GDPR have improved upon the protection under the Data Protection Directive, one must assess whether the core legal principles of data protection can still be effective and considered legitimate as society moves towards a future driven by data.
o What problems in abstracto and in concreto are identified?
o Do these problems equally apply to the use of big data in marketing? o Are there viable solutions, both short- and long-term?
16 AJIBADE 2018, 8.
4
5
Research Methodology
This thesis employs the doctrinal research method through the problem-based approach to formulate an answer to the central research question. This method can be described as: “Research which provides a systematic exposition of the rules governing a particular legal category, analyses the relationship between rules, explains areas of difficulty and, perhaps, predicts future developments.”18 To put this methodology into practice the following steps were taken: (i) assembling the relevant facts regarding big data analytics and the GDPR system and principles; (ii) identifying and analysing the issues at hand; (iii) locating and studying the primary source material (including legislation, administrative documents and case law); and (iv) synthesising all the issues in the legal context.19 Aside from the provisions of the GDPR, also Article 29 Working Party (hereafter: A29 WP) opinions and guidelines on (big) data processing, guidelines from the European Data Protection Board (hereafter: EDPB), case law from the national data protection authorities and the European Court of Justice, factsheets and other relevant information from the websites of the European institutions and literature on the elements, goals and issues of big data analytics, direct marketing and behavioural advertising and data protection law will prove to be indispensable source materials.
18 T. HUTCHINSON and N. DUNCAN, “Defining and Describing What We Do: Doctrinal Legal Research”,
Deakin Law Review 2017, vol. 17, (83) 101.
6
7
CHAPTER ONE: Big data and its applications in marketing
1.1 Scope
Before focussing on the legal issues surrounding big data analytics and marketing, it is necessary to examine the principal components that form the foundation of the dissertation. First, the concept of big data is addressed. ‘Big data’ has as many definitions as possible applications, therefore, to guarantee good understanding throughout this thesis, section 1.2 will conduct an exposition on the key characteristics and features generally attributed to big data. Afterwards, having established a general understanding of the phenomenon, it is important to keep in mind the material scope. The targeted use of big data – direct and behavioural marketing – concerns an instance where the results of big data analytics are applied to specific individuals and thus affect them directly. In most cases, the output of big data processes are merely statistical findings related to aggregated data.20 Nevertheless, the emergence of personalised digital interfaces has allowed for the tailoring of unique interactions with users on the basis of previously collected data.21 While this aspect of big data pertains to a mere fraction of its overall uses, it has undoubtedly generated the most challenging policy questions on the one hand and the most significant economic and social benefits on the other.22 As such, direct and behavioural marketing and their place within the European data protection framework will be discussed in section 1.3.
1.2 What is big data?
1.2.1 Definition
“How Target found out that a teen girl was pregnant before her father did”. This is the eye-catching headline from a 2012 Forbes article that demonstrates how big data analytics can be applied in the marketing and sales sector. When Andrew Pole had just started working for Target back in 2002, two co-workers stopped by his desk to ask an odd question: “Could you figure out a way to find out if a customer is pregnant, even if she did not want us to know?” And, as it turned out, he could. By giving shoppers a Guest ID number, tied to their credit card, name or e-mail, Target could keep track of their purchases. This data, when analysed together with demographic information and a list of twenty-five products often bought by pregnant women, allowed Target to assign each customer a ‘pregnancy prediction score’. Even more impressive, the score could estimate the customer’s due date to within a small window, enabling Target to send coupons timed to particular stages of the pregnancy.23 Truth be told, though, in the early 2000s, ‘data’
20 ZARSKY 2017, (995) 1000. 21 ibid.
22 ibid.
23 Source: K. HILL, “How Target Figured Out A Teen Girl Was Pregnant Before Her Father Did”, Forbes 2012,
https://www.forbes.com/sites/kashmirhill/2012/02/16/how-target-figured-out-a-teen-girl-was-pregnant-before-8 was not revered as the supreme business solution of the future, in fact, because of the exponential growth in data creation, a data scalability crisis seemed imminent. However, rapid developments in CPU-24 and storage technologies and their fall in price allowed businesses to allocate substantial budgets on data collection and analysis.25 Behold, the age of big data.
According to the European Data Protection Supervisor (EDPS)26, big data, in general terms, refers to “the practice of combining huge volumes of diversely sourced information and analysing them, using more sophisticated algorithms to inform decisions.”27 Both Rubinstein28, who considers big data “a more powerful form of data mining that relies on huge volumes of data, faster computers, and new analytic techniques to discover hidden and surprising correlations”, and Fayyad29 who describes it as “the nontrivial extraction of implicit, previously unknown, and potentially useful information from data”, take a similar approach, defining big data as a form of analytics. Also, Article 29 Working Party30, the independent European body that dealt with issues relating to the protection of privacy and personal data and published opinions on the operability of certain GDPR-principles, considers big data a form of analytics: “Big data refers to the exponential growth in availability and automated use of information: it refers to gigantic digital datasets held by corporations, governments and other large organisations, which are then extensively analysed using computer algorithms. […] The expectation from big data is that it may ultimately lead to better and more informed decisions.”31
Russom32 does not inherently associate big data with analytics. On the one hand, there is big data for massive amounts of diverse and detailed information. On the other, there is analytics, an amalgam of tools including, but not limited to those based on artificial
her-father-did/#41fa9ea86668 and C. DUHIGG, “How Companies Learn Your Secrets”, New York Times 2012, https://www.nytimes.com/2012/02/19/magazine/shopping-habits.html?pagewanted=1&_r=1&hp.
24 CPU (pronounced as separate letters) is the abbreviation for central processing unit. Sometimes referred to
simply as the central processor, but more commonly called a processor, the CPU is the brains of the computer where most calculations take place. In terms of computing power, the CPU is the most important element of a computer system. Definition by V. BEAL, “CPU – Central Processing Unit”, Webopedia, https://www.webopedia.com/TERM/C/CPU.html.
25 P. RUSSOM, “TWDI Best practise report – Big Data Analytics”, TWDI Research 2011, 4. (Hereafter:
RUSSOM 2011).
26 EDPS is an independent institution of the European Union (EU) responsible for ensuring that the
fundamental rights and freedoms of natural persons, and in particular their right to privacy, are respected by the Community institutions and bodies.
27 EUROPEAN DATA PROTECTION SUPERVISOR, Opinion 7/2015 Meeting the challenges of big data: A
call for transparency, user control, data protection by design and accountability, 2015, 7. (Hereafter: EDPS,
Opinion 7/2015 on the challenges of big data).
28 I. S. RUBINSTEIN, “Big Data: The End of Privacy or a New Beginning?”, Data Privacy Law 2013, vol. 3,
(74) 74. (Hereafter: RUBINSTEIN 2013).
29 U. M. FAYYAD, G. PIATETSKY-SHAPIRO and, P. SMYTH, “From Data Mining to Knowledge Discovery:
An Overview” in U. M. FAYYAD (eds.), Knowledge Discovery and Data Mining, California, American Association for Artificial Intelligence Menlo Park, 1996, (1) 6. (Hereafter: FAYYAD 1996).
30 The Article 29 Working Party ceased to exist on 25 May 2018. It was replaced by the European Data
Protection Board. https://edpb.europa.eu/about-edpb/about-edpb_en.
31 ARTICLE 29 WORKING PARTY, Opinion 3/2013 on purpose limitation, WP 203, 45. (Hereafter: A29 WP,
Opinion on purpose limitation).
9 intelligence (AI), statistics, predictive analytics, language processing and data mining.33 Nevertheless, while Russom opines that big data an sich does not include any analytical attributes, he does, however, argue that they are being put together for a good reason. After all; (i) most analytical tools designed for data mining tend to be optimised for large data sets, the larger the data sample, the more accurate are the results of the analysis; (ii) recent generations of processing software and infrastructure have significantly reduced the time it takes to analyse vast data sets; (iii) analytical tools are now more affordable, enabling small-to-midsize businesses to enter the era of big data; (iv) modern tools and techniques for advanced analytics have become more tolerant of raw sources of data no matter how messy or non-standard they are; and (v) big data analytics have become a crucial asset for businesses which merits leverage through the creation of new insight, both regarding their opportunities and shortcomings.34
The above definitions focus on the quantitative, analytical and, predictive attributes of big data analytics.35 The quantitative refers to the large amounts of diverse data being processed. The analytical attribute underlines the processing of said data using specialised tools to reach an output. Finally, big data analytics are considered predictive because they create insight into previously unknown situations.36 In marketing, for instance, big data is applied towards individually targeted advertisements; i.e. the analysis of online consumer behaviour – consisting of, inter alia, volunteered and inferred information, visited websites, clicked links and viewed products – allows companies to infer the preferences of data subjects and present them with tailored advertisements.37
Countless other approaches have been taken in defining the nature of big data. Oracle, for example, contends that big data is the derivation of value from traditional database-driven decision making, augmented with new sources of unstructured data such as blogs, social media, picture data and sensor networks.38 Further, they also stress the importance of infrastructure. After all, the end goal is to easily integrate big data with existing enterprise data to analyse the combined data set.39 Intel, on the other hand, links big data to organisations who perform analytics on 500 terabytes (TB) or more of unstructured data per week.40 Rather than focusing on a theoretical approach, Intel describes big data by quantifying the experiences of its business partners.41 However, considering the age of Intel’s survey and the fact that 90% of all data has been created in the last two years, this number might no longer be accurate. Kitchin and Lauriault also pointed out that big data
33 ibid, 4. 34 ibid. 35 AJIBADE 2018, 14. 36 ibid. 37 ibid.
38 J. S. WARD and A. BARKER, “Undefined By Data: A Survey of Big Data Definitions”, School of Computer
Science, University of St Andrews 2013, https://arxiv.org/pdf/1309.5821.pdf, 1. (Hereafter: WARD 2013).
39 J. P. DIJCKS, “Oracle: Big Data for the Enterprise”, Oracle White Paper 2013,
http://www.oracle.com/us/products/database/big-data-for-enterprise-519135.pdf, 5.
40 INTEL IT CENTER, “Peer Research: Big Data Analytics”, Intel 2012, https://www.intel.com/
content/dam/www/public/us/en/documents/reports/data-insights-peer-research-report.pdf, 4.
10 is characterised by technological development.42 Analytic tools utilise the power of algorithms and computation to process and provide insight into datasets that would be too costly, difficult and time-consuming to analyse with traditional small data methods.43 ‘Algorithm’ and ‘computation’ was further identified by Hildebrandt44 as ‘knowledge discovery in databases (KDD)45’ and ‘machine learning46’, which form the core of Artificial Intelligence, enabling a computer system to use an input experience to solve a specific task.47 Finally, according to Mayer-Schönberger and Padova, big data opens up a new perspective on reality.48 Humans have always tried to understand the world through observation. However, in analogue times, collecting and analysing data proved time-consuming and expensive. Technological advancements have dramatically reduced the time and cost to gather and analyse information, offering vastly more detail and an unprecedented comprehensiveness of large data sets.49
1.2.2 Distinctive elements
Although consensus on the definition of big data is not yet upon us, it is clear that the definitions discussed above have certain elements in common. First of all, most authors and institutions seem to agree that big data, at least in part, can be described through the three Vs – volume (the amount of data), velocity (the speed of data creation and analysis) and variety (the diversity of data). The origin of the three Vs dates back to a 2001 trend rapport50 on the increasing importance of e-commerce and the data management challenges that this evolution entailed. The three Vs are presented as problems to which the author offers practical solutions. It was Phillip Russom51, in his 2011 report on big data analytics, who first designated the three Vs as (the) distinctive elements of big data. While most definitions up until then focussed merely on the size of data in storage (volume), Russom opined that velocity and variety are just as important. Of course, the amount of Vs has increased steadily ever since, amassing to a whopping 42 Vs in 2017
42 R. KITCHIN and T. P. LAURIAULT, “Small data, data infrastructure and big data”, SSRN Electronic
Journal 2014, https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2376148, 13. (Hereafter KITCHIN 2014).
43 ibid.
44 M. HILDEBRANDT, “Slaves to big data, or are we?”, IDP Revista d’Internet, Dret i Politica 2013,
https://www.raco.cat/index.php/IDP/article/viewFile/303366/393038, (27) 29 – 30. (Hereafter: HILDEBRANDT 2013).
45 KKD has been defined as “the nontrivial process of identifying valid, novel, potentially
useful and ultimately understandable patterns in data.” Source: FAYYAD 1996, 41.
46 Machine learning has been defined as: A machine learns with respect to a particular task T,
performance metric P, and type of experience E, if the system reliably performs its performance P at task T, following experience E. Source: T. M. MITCHELL, ““Introduction”. The Discipline of Machine Learning”,
School of Computer Science, Carnegie Mellon University 2006, http://www-cgi.cs.cmu.edu/~tom/pubs/MachineLearningTR.pdf, 1.
47 AJIBADE 2018, 18.
48 V. MAYER-SCHÖNBERGER and Y. PADOVA, “Regime Change? Enabling Big Data Through Europe’s New
Data Protection Regulation”, Columbia Science & Technology Law Review 2016, (315) 318. (Hereafter: MAYER-SCHÖNBERGER 2016).
49 ibid.
50 D. LANEY, “3D Data management: Controlling data Volume, Velocity, and Variety”, Meta Group 2001,
https://blogs.gartner.com/doug-laney/files/2012/01/ad949-3D-Data-Management-Controlling-Data-Volume-Velocity-and-Variety.pdf.
11 after the publication of Tom Shafer’s – perhaps somewhat ironic – article.52 As of today, however, in addition to the original trilogy, only veracity53 (the uncertainty of data) and value54 (the value of data) have appeared regularly in professional literature. Additionally, it seems imperative to address the conditio sine qua non of big data: technical computation. Algorithms and computational methods have enabled us to zoom in on data like never before.55 Nevertheless, continuous innovation will be necessary to keep up with the abundance, timeliness and messiness associated with big data.56
1.2.2.1 Volume
The size of datasets is a constant in every definition of big data. For a dataset to be considered big, it should consist of terabytes or petabytes of data.57 This quantitative approach is put forward by Kitchin and Russom who argue that volume an sich is a defining attribute of big data.58 Rubinstein, on the other hand, opines that huge volume is, among other elements, a necessary condition to discover hidden and surprising correlations, the ultimate goal of big data analytics.59 After all, for there to be prediction or insight, there must be profiling (infra) and for profiling to be accurate and meaningful, it must act on large amounts of information.60 Also, the definitions of the EDPS and the A29 WP emphasise that volume is a prerequisite for making ‘informed decisions’, rather than explicitly quantifying the concept (supra).
In a survey conducted by NewVantage Partners in 2018, they observed that over 97% of the respondents are collecting data for analytic purposes.61 It should be noted that most times, this large storage of data does not have a pre-established purpose.62 This situation is in stark contrast to the principle of purpose limitation set out in the GDPR. This will be further discussed in Chapters 2 and 3. In any case, with twenty-six billion devices
52 T. SHAFER, “The 42 V's of Big Data and Data Science”, Elder Research 2017,
www.elderresearch.com/blog/42-v-of-big-data.
53 See among others: IMG BIG DATA HUB, “The Four V’s of Big Data”, IMG 2013,
http://www.ibmbigdatahub.com/infographic/four-vs-big-data and GUTCHECK, “Veracity: The Most Important “V” of Big Data”, GutCheck 2019, https://www.gutcheckit.com/blog/veracity-big-data-v/.
54 See among others: B. MARR, “Why only one of the 5 Vs of big data really matters”, Blog IBM Big Data &
Analytics Hub 2015, http://www.ibmbigdatahub.com/blog/why-only-one-5-vs-big-data-really-matters and BIG
DATA FRAMEWORK, “Five ways to capture Value from Big Data”, Big Data Framework 2018, https://www.bigdataframework.org/value-of-big-data/.
55 MAYER-SCHÖNBERGER 2016, (315) 318. 56 KITCHIN 2014, 13.
57 R. KITCHIN, “Big data and human geography: Opportunities, challenges and risks”, Dialogues in Human
Geography 2013, vol. 3, (262) 262. (Hereafter: KITCHIN 2013) and RUSSOM 2011, 6 – 7.
58 ibid.
59 RUBINSTEIN 2013, (74) 74. 60 AJIBADE 2018, 18.
61 NEWVANTAGE PARTNERS, “Big Data Executive Survey 2018 – Data and Innovation: How Big Data and
AI are Driving Business Innovation”, NewVantage Partners 2018, http://newvantage.com/wp-content/uploads/2018/01/Big-Data-Executive-Survey-2018-Findings-1.pdf, 2. (Hereafter: NVP Survey 2018).
12 connected to the Internet today and an estimate of seventy-five billion in 202563, big data’s raw material is not going to become scarce anytime soon.
1.2.2.2 Velocity
Velocity refers to the speed of data creation and the frequency of data delivery within a system. According to Russom64, streams of data can be analysed in batches, near-time or real-time. Of course, near-time or real-time information makes it possible for a company to be much more agile than its competitors.65 For example, websites have for years used cookies (infra) and clickstream data66 to make immediate purchase recommendations to visitors. However, with data relentlessly flying in real-time, data volumes get big quickly. Even more challenging, analytic tools have to make sense of this data and possibly take action – all in real-time.67
1.2.2.3 Variety
Data is coming from a greater variety of sources than ever before. Online entertainment providers (e.g. Netflix, Spotify and YouTube), e-commerce platforms, social media services (e.g. Twitter, Facebook and Instagram) and the advance of the Internet of Things (IoT)68 (e.g. data collected form sensors, cameras, interactive toys, GPSs and robots) provided for massive amounts of structured, semi-structured and unstructured data.69 Therefore, with big data, variety is just as ‘big’ as volume and one cannot exist without the other.70
63 STATISTA RESEARCH DEPARTMENT, “Internet of Things (IoT) connected devices installed base
worldwide from 2015 to 2025 (in billions)”, Statista 2016, https://www.statista.com/statistics/471264/iot-number-of-connected-devices-worldwide/.
64 RUSSOM 2011, 7 – 8.
65 A. MCAFEE and E. BRYNJOLFSSON, “Big data: the management revolution”, Harvard Business Review
2012, (60) 63.
66 Clickstream analysis (also called clickstream analytics) is the process of collecting, analysing and reporting
aggregate data about which pages a website visitor visits – and in what order. The path the visitor takes through a website is called the clickstream. Source: M. ROUSE, “clickstream analysis (clickstream analytics)”,
TechTarget 2016, https://searchcustomerexperience.techtarget.com/definition/clickstream-analysis-clickstream-analytics#targetText=On%20a%20Web%20site%2C%20clickstream,website%20is%20called%20 the%20clickstream.
67 RUSSOM 2011, 7 – 8.
68 “Internet of Thing (IoT) refers to the networked interconnection of everyday objects, which are often
equipped with ubiquitous intelligence. IoT will increase the ubiquity of the Internet by integrating every object for interaction via embedded systems, which leads to a highly distributed network of devices communicating with human beings as well as other devices.” Source: F. XIA, L. T. YANG, L. WANG and A. VINEL, “Internet of Things”, Int. J. Commun. Syst. 2012, vol. 25(9), (1101) 1101.
69 Structured data, put simply, is data written in a format that’s easy for machines to understand and can be
easily searched by basic algorithms. It conforms to a rigid format to ensure consistency in processing and analysing it. Examples include spreadsheets and data from machine sensors. Unstructured data, on the other hand, is more like human language. It doesn’t fit nicely into relational databases, and searching it based on the old algorithms ranges from difficult to completely impossible. Examples include emails, text documents (Word docs, PDFs, etc.), social media posts, videos, audio files, and images. These types of data have become invaluable for big data analytics. Source: B. WOLFE, “What’s the Difference Between Structured and Unstructured Data?”, SolarWinds Blog 2017, https://blog.samanage.com/insights/whats-the-difference-between-structured-and-unstructured-data/.
13
1.2.2.4 Veracity
The fourth V, veracity, relates to (the lack of) accuracy and shows that uncertainty is involved in big data analytics.71 One might wonder, for example, whether a found correlation is of value or, on the contrary, completely absurd. Certainly, in cases where there is no direct cause and effect between two phenomena that show a close correlation, there is a risk of drawing inaccurate but also – if applied at the personal level – potentially unfair and even discriminatory conclusions.72 In addition, while some argue that volume makes up for the lack of quality or accuracy73, the importance of establishing the trustworthiness of the data source and the manner of processing cannot be overstated. To reduce abnormalities or inconsistencies, duplication or bias are just a few aspects that factor into improving the accuracy of big data.74 Certainly, when big data analytics are applied towards automated decision-making, veracity of input data is of utmost importance. Issues regarding the opacity, bias and fairness of automated decision-making will be further discussed in Chapter 2.
1.2.2.5 Value
The primary reason why big data has developed rapidly over the last years is because of its ability to create value. The 2018 NewVantage Partners Survey showed that over 73% of business who have invested in big data projects already received measurable value from these initiatives.75 This number is 50% higher than in the 2017 survey, suggesting that value extraction from big data will only increase as companies grow more familiar with the new technologies.76 Big data can be used to track down inefficiencies in undertakings, replace labour-intensive calculations by automated decisions or identify the need for new products or services. However, most importantly (at least within the scope of this exposition), big data provides an improved opportunity to customise product offerings to certain segments of customers in order to increase revenues.77 This is why many have argued that value is the most important V of big data.78 After all, money is what makes the world go round.
71 A. LAFARRE, “Recht voor big data, big data voor recht”, Computerr. 2016, (146) 147. 72 EDPS, Opinion 7/2015 on the challenges of big data, 8.
73 IMG BIG DATA HUB, “The Four V’s of Big Data”, IMG 2013, http://www.ibmbigdatahub.com/
infographic/four-vs-big-data.
74 GUTCHECK, “Veracity: The Most Important “V” of Big Data”, GutCheck 2019, www.gutcheckit.com/
blog/veracity-big-data-v/.
75 NVP Survey 2018, 2. 76 ibid.
77 BIG DATA FRAMEWORK, “Five ways to capture Value from Big Data”, Big Data Framework 2018,
https://www.bigdataframework.org/value-of-big-data/.
78 See among others: BIG DATA FRAMEWORK, “Five ways to capture Value from Big Data”, Big Data
Framework 2018, https://www.bigdataframework.org/value-of-big-data/, B. MARR, “Why only one of the 5 Vs
of big data really matters”, Blog IBM Big Data & Analytics Hub 2015, http://www.ibmbigdatahub.com/blog/why-only-one-5-vs-big-data-really-matters and BBVA, “The Five V’s of Big Data”, BBVA 2017, https://www.bbva.com/en/five-vs-big-data/.
14
1.2.2.6 Technical Computation
Having discussed the five Vs of big data, it is time to address their common denominator: technology, and more specifically technical computation. High volume, velocity, variety, veracity and ultimately value all rely on technical and algorithmic computation. Where in the past at best a small sample of data could be collected and examined, algorithmic computation has enabled us to use vastly more data, not just in absolute terms but relative to the amount of data in existence.79 Such comprehensive use of data has greatly reduced – although certainly not eliminated – the possibilities of bias and error, because small data samples no longer have to be extrapolated to the whole.80 Even more, the use of big data has, at least to an extent, reversed the direction of discovery. Patterns in data can be used to foster new theories, rather than ‘prove’ existing ones.81 In light of the above, technical advancement rightfully earned its place on this list. It has been and will always remain a determining factor in the way big data is perceived and defined.
79 MAYER-SCHÖNBERGER 2016, (315) 318. 80 ibid.
15
1.3 Direct Marketing
1.3.1 Introduction
Direct marketing is an umbrella term concerning a great many ventures, some of which fall outside of the scope of this exposition. As such, similar to the concept of big data, it is necessary to specify this notion within the context. According to the Cambridge dictionary, direct marketing is “the activity of marketing products and services by communicating directly with consumers by phone, mail, or on the internet. [It] is targeted, in that it seeks to create direct contact with individual customers.”82 While this may bring significant economic benefits for stakeholders, such practices, though, must not be carried out at the expense of data subjects’ right to privacy and data protection. In the traditional context, direct marketing refers to the use of ‘old-school’ mail, fax, e-mail and automated calling machines for marketing purposes. Although these methods certainly rely on some form of processing of personal data – after all, you need the address before you can send the e-mail – and thus fall within the scope of European data protection law, they do not necessarily require big data applications. Technology has evolved, and with it, the way marketing material is being delivered to consumers. Moreover, because of the rise of tracking technologies, profiling and automated decision-making (infra), advertisements are becoming ever-more specifically targeted. Instead of simple e-mails, now targeted advertisements pop up on smartphones and computer screens and they are embedded in smart objects linked to the Internet of Things.83 Specifically, this practice of ‘interactive media advertising’ raises important data protection and privacy concerns. Therefore, unless indicated otherwise, when referring to direct marketing, it will pertain to the online advertising methods as illustrated in the next section.
1.3.2 Behavioural advertising
Interactive media advertising refers to a broad range of methods that aim to create more relevant advertisements.84 These methods, by and large, can be classified in three categories. First, there is ‘contextual advertising’ where advertisements are selected based on the content currently being viewed by the data subject and, in the case of search engines, content may be derived from the previous search query, keywords or the user's IP address if it indicates their likely geographical location.85 This approach is considered to be the least intrusive. The processed data are not particularly revealing, nor are they being derived from an intricate profile of the individual concerned. The second category, ‘segmented advertisement’, shows advertising based on known characteristics of the
82 Definition from https://dictionary.cambridge.org/dictionary/english/direct-marketing.
83 ARTICLE 29 WORKING PARTY, Opinion 06/2014 on the notion of legitimate interests of the data controller
under Article 7 of Directive 95/46/EC, WP 217, 46 (Hereafter: A29 WP, Opinion 06/2014 on legitimate
interests).
84 ARTICLE 29 WORKING PARTY, Opinion 2/2010 on online behavioural advertising, WP 171, 4. (hereafter:
A29 WP, Opinion on online behavioural advertising).
16 customer, which he or she has provided at the sign-up or check-out stage.86 Using this specific data for advertising purposes – on the condition that the processing is based on consent or the legitimate interests of the controller and complies with European data protection principles (infra 2.3 et seq.) – is not particularly problematic in that the data subject can reasonably expect the controller to have this information. Thirdly, the A29 WP defines ‘behavioural advertising’ as “advertising that is based on the observation of the behaviour of individuals over time. [It] seeks to study the characteristics of this behaviour through their actions (repeated site visits, interactions, keywords, online content production, etc.) in order to develop a specific profile and thus provide data subjects with advertisements tailored to match their inferred interests.”87 Clearly, this method is the most alarming; whereas contextual- and segmented advertising use ‘snapshots’ of what customers view or do on a particular website or utilise information provided by the data subject himself, behavioural advertising allows advertisers to employ a potentially very detailed picture of the subject’s online life.88
1.3.2.1 Actors
Unlike contextual- or segmented advertising, where the entire process of advertising can be carried out by a single controller, behavioural advertising relies on the interaction between; (i) ad network providers who, at its basic level, connect buyers and sellers in the online marketplace89; (ii) advertisers who want to promote products or services to a certain target audience; and (iii) publishers who are the website owners looking for revenue by selling empty space to display ads.90
The process of distributing ads through an advertising network works as follows91: The publisher reserves space on his website with the intention to display ads and delegates the remainder of the advertising process to ad network providers. These providers control the targeting technology and associated databases and are responsible for the distribution of advertisements. The more publishers that are connected to the network, the more resources it has to monitor and track data subjects. Lastly, the advertisers will negotiate with one or more ad network providers to get them to show their ads on the websites of relevant publishers. The price that the advertiser is willing to pay determines the quality of the targeting and placement of the ad. Publishers and advertisers are often connected to multiple ad networks, and the advertiser rarely knows the identity of the publishers. For example, publisher A, who runs a fashion magazine, wants to sell space on his website to display ads. On the other hand, there is advertiser B, owner of an online clothing store, who wants to reach his target audience. As such, they contact advertisement network operator C who distributes the ads from B to A’s website. Today the biggest ad network
86 ibid. 87 ibid. 88 ibid.
89 J. AGUIAR, “Ultimate List of The Best Ad Networks Right Now”, Mobidea Academy 2019,
https://www.mobidea.com/academy/best-ad-networks-list/.
90 A29 WP, Opinion on online behavioural advertising, section 2.1. 91 ibid.
17 provider is Google AdSense with nearly two million advertisers, over 290.000 publishers and billions of customers. Honourable mentions include Facebook Audience Network ads (with close to a million advertisers and over two billion users) and Apple Advertising (the leader in mobile display advertising).92
1.3.2.2 Tracking technology
In most cases, behavioural advertising relies on tracking technologies that employ some form of client-side processing.93 In other words, it uses information from the data subject’s browser or terminal equipment (e.g. smartphone, computer, smart device, etc.). Today, the ‘tracking cookie’ remains a fundamental instrument to monitor and analyse the online behaviour of consumers. A cookie is a small alphanumeric text file that is stored on the user's terminal equipment, either temporarily for the duration of the website visit or browser session (‘session cookies’) or permanently on the hard disk (‘persistent cookies’).94 In the latter case, the cookies either have a precise expiry date in the far away future, or they remain on the hard disk until manually removed.95 Cookies provide a way for the website to recognise and keep track of users’ preferences. For example, they remember usernames and passwords, visited pages of a website or the contents of an online shopping cart. Subsequently, this information can be accessed by ad network providers to build profiles on said users. Typically, the ad network provider, after obtaining consent from the data subject (infra 2.3 and 2.4), places a tracking cookie on his or her terminal equipment, when he or she accesses a website serving an ad of its network. This way, the network can recognise former visitors who return to that website or visit another website that is associated with the advertising network. These repeated visits enable the algorithms of the network provider to build a profile of the visitor, which will in turn be used to deliver personalised advertising.96 Tracking cookies are often referred to as ‘third-party cookies’ as they are placed by a party (i.e. the ad network) that is distinct from the webserver that displays the original content of the website (i.e. the publisher).
In most cases, however, the consent rule for placing cookies to protect the confidentiality of terminal equipment fails to reach its objective as end-users face requests to accept both functional and analytical cookies and tracking cookies in the same pop-up or banner without understanding their respective scopes. Unlike tracking cookies, functional and analytical cookies are placed by the publisher to improve on the website’s accessibility (e.g. assess whether it is easy to navigate by analysing the clickstream) and convenience (e.g. by remembering usernames and passwords), and thus, are not used for behavioural advertising purposes. The ins and outs of the legal obligations concerning the use of processing and storage capabilities of terminal equipment and the collection of
92 WEBFX, “The 10 Best Display Advertising Networks”, WebFx 2016, https://www.webfx.com/
internet-marketing/top-display-ad-networks.html.
93 A29 WP, Opinion on online behavioural advertising, section 2.2.
94 Source: PC Mag Encyclopedia, https://www.pcmag.com/encyclopedia/term/40334/cookie. 95 A29 WP, Opinion on online behavioural advertising, section 2.2.
18 information from end-user’s terminal equipment97 will be discussed in section 2.4 of Chapter 2.
In closing, it is worth mentioning that cookies – the tracking technology par excellence – are having a hard time. With cookie-unfriendly browser settings and incognito modes, users can now easily delete or reject unwanted cookies. Second, ubiquitous ad-blocking software and more powerful privacy settings are making cookie tracking harder than ever. Finally, the recent explosion in the use of mobile devices has significantly complicated tracking activities as cookies cannot be transferred from one device to another (e.g. from a laptop to a smartphone) or shared between apps.98 Recently, ‘device fingerprinting’ is gaining ground as an effective alternative to tracking cookies. Unlike cookies, which are stored and accessed on the user’s terminal equipment, device fingerprinting combines certain characteristics of the hardware and software of a device – such as device type, browser version, operating system, installed plugins, location, time settings and screen resolution – to identify it as unique system. This tracking method relies on the probability that a device recognised as having specific attributes on one day is the same device seen with those same attributes on another day.99 Whereas the use of tracking cookies is certainly the more reliable technique, device fingerprinting benefits from the fact that it does not require the use of processing and storage capabilities of the terminal equipment of the data subject. In addition, because the information used for device fingerprinting is basic data that is relayed anytime a website loads in a browser, it is relatively tricky for individuals to prevent such practices.100 Although a complex and multi-layered process, the technical intricacies of which are beyond the scope of this research, device fingerprinting is proving extremely valuable for behavioural advertising. Especially as the combination of cookie data with user attributes has introduced the possibility to track individuals not only when they move between different applications and browsers on the same device but even when they transfer from a computer to a smartphone or tablet.101
1.3.2.3 Profiles
An online profile of an individual is the result of profiling. Profiling and the legal implications thereof will be discussed in further detail in section 2.3.4 of Chapter 2. This section merely pertains to the types and elements of profiles used for behavioural advertising.
97 Wording from art. 8, 1 Proposal ePrivacy Regulation. There is no mention of cookies or other specific tracking
technologies, this technology-neutral description allows for legal certainty in case cookies become obsolete as a tracking technology.
98 K. MATUSZEWSKA, “Device Fingerprint Tracking in the Post-GDPR Era”, PiwikPro 2019,
https://piwik.pro/blog/device-fingerprint-tracking-in-the-post-gdpr-era/.
99 T. PETERSON, “WTF is device fingerprinting?”, Digiday 2019,
https://digiday.com/marketing/what-is-device-fingerprinting/.
100 ibid.
101 NS8U, What is device fingerprinting?”, NS8 2018,
19 According to the A29 WP, there are two main approaches to building user profiles.102 On the one hand, there are predictive profiles which are established by observing user behaviour over time. Explicit profiles, on the other hand, are created from personal data that has been provided to a webserver by the data subjects themselves. These profiles can be combined and predictive profiles may become explicit at a later time, for example, when a customer unknowingly confirms inferred information by creating an account for a certain online service.103 Ad networks construct predictive profiles by using information acquired from tracking technologies and data mining104 software. The location of a data subject can be deduced, for example, from the IP address, while age and gender might be inferred by analysing the visited website pages and the ads to which he or she gravitates. These profiles are then enriched with information derived from the behaviour of other data subjects who exhibit similar behavioural patterns in similar contexts in order to classify them in their respective marketing categories (e.g. gaming, cooking, fashion, music equipment, etc.).105 While these elements constantly change, customer profiles almost always consist of demographics (age, gender, race); socioeconomic- (income and occupation, for instance); and psychographic information (such as interests and behaviour).106
102 A29 WP, Opinion on online behavioural advertising, section 2.3. 103 ibid.
104 Data mining is the process of sorting through large data sets to identify patterns and establish relationships
to solve problems through data analysis. Data mining tools allow enterprises to predict future trends. Source: M. ROUSE, “Data Mining”, TechTarget 2019, https://searchsqlserver.techtarget.com/definition/data-mining.
105 A29 WP, Opinion on online behavioural advertising, section 2.3.
106 K. BROWN, “How to Create a Customer Profile in 2019”, FitSmallBusiness 2019,
20
1.4 Conclusion
“With great power comes great responsibility”
~ Uncle Ben to Spider-Man
Considering the above, it is perhaps easier to comprehend how big data analytics have drastically transformed the marketing industry. Advanced tracking technology, active profiling and market segmentation have contributed to the rise of behavioural advertising practices on a level that digital ads start to feel psychic.107 As a result, personal data has become invaluable, and the amount of data held by a company can determine its success in an increasingly hostile market. Inevitably, this marketing revolution has had a major impact on privacy. Bulk interception and collection of personal data without pre-established purpose nor due notification has become common practice and seems incompatible with European data protection principles. Notwithstanding the possible benefits, this evolution must be approached cautiously in order to avoid a ‘dictatorship of data’108 where “we are no longer judged on the basis of our actions, but on the basis of what all the data about us indicate our probable actions may be.” 109
Recently, these challenges have been acknowledged by EU legislators. Most notably, the coming into force of the General Data Protection Regulation and the proposal for a Regulation on Privacy and Electronic Communications come to mind. The following chapter will explore the European data protection framework and more specifically, those provisions that are most relevant concerning the processing of personal data for marketing purposes.
107 For an interesting read on this matter see O. SHWARTZ, “Digitals Ads Are Starting to Feel Psychic”, The
Outline 2018,
https://theoutline.com/post/5380/targeted-ad-creepy-surveillance-facebook-instagram-google-listening-not-alone?zd=1&zi=nxgrdc2m.
108 NORWEGIAN DATA PROTECTION AUTHORITY (DATATILSYNET), “Big Data - Privacy Principles
Under Pressure”, Datatilsynet 2013, https://www.datatilsynet.no/globalassets/global/english/big-data-engelsk-web.pdf, 8. (Hereafter: DATATILSYNET 2013).
21
CHAPTER TWO: Key provisions of European data protection
2.1 Scope
First, Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (Data Protection Directive or DPD)110 will be briefly addressed to get an idea on the origin of its successor, the General Data Protection directive, and to illustrate why new legislation on the matter was long over-due. Second, the greater part of this chapter will comment on the core principles of data protection in the European Union, with particular attention paid to the provisions that are most relevant to the use of big data for the purpose of targeted advertising. In conclusion, key concepts and provisions of the ePrivacy Directive and the proposed ePrivacy Regulation and their relationship to the GDPR will be identified and explained.
2.2 European data protection legislation and the Data Protection Directive
The right to data protection must be situated within the right to respect for private and family life as protected by Article 8 European Convention on Human Rights. Additionally, within the European Union, the right to data protection has been explicitly acknowledged as a distinctive fundamental right. Both Article 16 Treaty on the Functioning of the European Union and Article 8 of the Charter of Fundamental Rights of the European Union state that: “Everyone has the right to the protection of personal data concerning him or her”. Yet, despite being closely related to each other, they are not one and the same. Whereas the classic right to privacy pertains to a subjective right to keep certain private affairs out of reach of third parties, the right to data protection more specifically refers to the various principles that dictate how data should be processed in order to ensure that they are processed with the appropriate degree of care, considering the interests of all of the parties involved.111
Before the coming into force of the GDPR, the principle and substantive rules of data protection were laid down in the Data Protection Directive (DPD). The goal of the DPD was to ensure high levels of information privacy throughout the European Union while at the same time enabling the free flow of data within the EU.112 While the Directive, considering its age, provided for detailed and comprehensive rules on data protection, the
110 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of
individuals with regard to the processing of personal data and on the free movement of such data, Official
Journal L 281, 23 November 1995. (Hereafter: DPD)
111 Although closely related to each other, the right to privacy and the right to data protection are two distinct
rights. For an exposition on this matter see J. KOKOTT and C. SOBOTTA, “The distinction between privacy and data protection in the jurisprudence of the CJEU and the ECtHR”, International Data Privacy Law 2013, vol. 3(4), (222) 222-228 and L. MOEREL and C. PRINS, “Privacy for the Homo Digitalis: Proposal for a New Regulatory Framework for Data Protection in the Light of Big Data and the Internet of Things”, Tilburg
Institute for Law, Technology and Society (TILT) 2016, 17. (Hereafter: MOEREL 2016).
