Organisations making use of data mining and analysis risk inadvertently exposing their operations to privacy audits and hefty fines, a prominent intellectual property law firm has warned.
Shelston IP Lawyers have advised that organisations need to be wary that sophisticated analysis techniques emerging from the Big Data era may effectively “de-anonimise” consumer data believed to be anonymous.
In doing so, some organisations may find that they are in breach of Australian privacy laws without knowing it.
The consequences for organisations breaching privacy laws will become more serious from March 2014 when legislation comes into effect that gives the Australian Privacy Commissioner the power to fine companies up to $1.7 million for serious breaches.
Shelston partner and co-author of the paper, Mark Vincent, said behavioural profiling software designed to assist in creating highly targeted marketing campaigns had reached a level of accuracy that was challenging the ability to claim the data they produce was genuinely anonymous.
While such data is proving to be highly valuable to retailers, selling, licensing or moving it offshore could be illegal under Australian privacy regulations, Mr Vincent said.
“There are real questions about whether any big data set about people can be truly anonymous,” he said.
“A lot of privacy advocates would argue that if you throw enough computing power at any big set of information you can take anonymous data and track it back to people”.
He said that there were many examples of instances where data analysts were able to cross-reference data sets and link supposedly anonymous data to identifiable individuals – sometimes in circumstances exposing them to embarrassment.
Vincent said that the issue was yet to be put to a legal test in Australia but argued that as a matter of principle, if the identity of an individual could be discerned from a set of data, the data would be considered personal information.
“I guess companies might take more comfort than they should from anonymisation techniques,” he said.
iTnews asked the Office of the Australian Information Commissioner if it considered current domestic privacy laws adequate to cope with the Big Data era. The OAIC had previously responded to an Australian Law Reform Commission (ALRC) recommendation to tighten the definition of 'personal information', stating:
“The Office recognises the challenges posed by the development of new technologies and processes, particularly in the field of data-matching, that have the potential to create identified information from data sources containing previously anonymous data.
“However, the definition of personal information leaves open the flexibility to consider the degree to which an organisation is able to ‘reasonably ascertain’ someone’s identity, including by the use of such technologies.”
Australian Privacy Commissioner Timothy Pilgrim told iTnews this week that the Privacy Act is designed to be technology-neutral.
"The new Australian Privacy Principles (or APPs) are principles-based law to provide the flexibility to be applied to a range of data uses and technologies such as big data analytics," he said.
The Privacy Act allows the OAIC to make a judgment call on whether personal data is still "reasonably identifiable" based on such factors as the resources, cost, difficulty, practicality and likelihood of the data being matched. That definition, he said, is currently under review.
Further, the Australian Law Reform Commission is "currently considering the design of a statutory cause of action and other ways the law might prevent or redress serious invasions of privacy in the digital era," he said.