Ensuring the protection of data subjects has become central to both the research and commercial use of big data. Current data protection regulations play an important role in providing safeguards, mitigating risk, and mandate rights for data subjects. Today’s legal landscape, however, is often characterised by heterogeneity, making it difficult to oversee it. Furthermore, it is essential to bridge between the legal context and implementations by providing guidelines and to implement the principles.
Ensuring the protection of data subjects[i] has become central to both the research and commercial use of big data. Many laws have upheld the principles of data minimisation[ii] when personal data are being processed. Although the definition of big data and the ways big data can be used differ from field to field and context to context (De Mauro et al. 2016; Favaretto et al. 2020), the essence of any kind of big data methodology is the linking and use of a large amount of data. Whenever the processing of information concerns personal data, privacy rights could be at risk. Currently, laws impose safeguards to mitigate risks such as requesting either risk—for example, mandating the subject’s consent for data use—or requiring lawful grounds for processing personal data. Data that is anonymised or non-personal is exempted from such safeguards and can be processed without further limitations.[iii] Exempting anonymised data is problematic, as anonymised data might be easily re-identified by linking sources or employing advanced computational methods. Thus, there is a clear need for other approaches to address this issue (Samarati and Sweeney 1998; Kairouz and Viswanath 2017; Torra and Navarro-Arribas 2016). Differentiating between personal and non-personal data is also problematic. The power of big data lies in the linkage of different data sources for prediction or analysis. Linking non-personal data that is not subject to data protection with personal information might reveal problematic patterns (Schneble, Elger, and Shaw 2020a) and lead to discrimination and disrespect for individual privacy.
Swiss legislation makes a distinction between the processing of data by private entities (private individuals and companies) and their public counterparts (entities such as governments and cantons). Whilst private entities need either some interest or direct consent from individuals to process data, the processing of data by the government needs a legal base in addition. Private entities are subject to the federal law as well as federal institutions[iv], while their cantonal counterparts are subject to cantonal legislation, which rests on the same principles as the federal laws but differs on minor issues. Besides this umbrella law, to which institutions and private entities refer, there are sectorial regulations, like the Law on Health Insurance in the insurance sector, the Epidemic Law in the case of pandemics, the Law on Electronic Health Records for clinical data, and the Human Research Act for biomedical research.[v] This diversity as well as the cantonal differences have made it hard for individuals and researchers to determine which laws they must adhere to (Martani et al. 2020).
Especially in the public discourse, the concept of data ownership is often mooted as a possible solution because it is commonly associated with increased control over (personal) data. However, many legal scholars have opposed the concept—mainly because ownership in property law entails exclusive rights and rights of dominion and defense (Picht 2017; Weber and Thouvenin 2018; Widmer et al. 2021). As data are not of a physical nature, those rights do not fulfill the characteristics. It has also been argued that market failure has typically been the spur for increased regulation, but, as Thouvenin and others point out, this would only apply if data would not be created or used to the extent desired by society (Widmer et al. 2021).
However, some safeguards in respect to the use of data are in force in many domains. For example, the use of health-related data in biomedical research is governed by the Human-Research Act (HRA), which places additional safeguards on the use of data in this domain (D’Amico and Rütsche 2015). Because data are immaterial goods, they are covered to some extent by the Federal Act on Copyright and Related Rights. However, it is often hard to delineate when data are intellectual creations to which the extended safeguards would apply.[vi]
Nevertheless, there is a need for action, especially with regard to the monetisation of data. At a time when data are becoming increasingly important assets and can be used to generate capital in many areas, data subjects should be allowed to benefit from the use of their data (Amstutz 2018). This sentiment was also voiced by data-protection officers during research conducted within NRP 75 (Widmer et al. 2021).
As demonstrated in the previous paragraphs, the legal landscape is characterised by heterogeneity, and different types of data (for example, health data) are subject to different safeguards. However, the scope of the Federal Act on Data Protection (FADP) is more comprehensive than it might seem at first glance as it is philosophically based on personal rights. This implies that the principles are vaguely defined and lack precise instructions for action (Epiney 2015). This is where ethics and ethical guidelines come into play; an analysis of recent scandals (Schneble et al. 2020c, 2018) showed that there is a conflict of objectives between what is feasible (in terms of technology) and ethical behaviour. This risk, however, could be mitigated by mandating ethical review boards in the commercial field. This concept has been successfully adopted in biomedical research for several decades.
Another angle for improvement lies in the area of consent. As mentioned before, getting approval to process data has largely involved presenting data subjects with terms and conditions. However, the latter has proven rather ineffective (Cate and Mayer-Schonberger 2013). Terms and conditions are long and written in complex language, so this approach can be problematic when targeting groups of vulnerable persons—especially children (Schneble et al. 2021) There have been various attempts to improve this situation. For instance, the process of getting consent could be made simpler by providing simplified terms and conditions or presenting them graphically (Brunschwig 2001). Another approach is to provide users oversight of which data they share in a portal-based solution, as proposed by opponents of the dynamic consent solution (Steinsbekk et al. 2013; Kaye et al. 2015), or delegating those rights to a third party that acts as a steward (Hafen 2015).
[i] The term “data subjects” refers to individuals whose data is processed. The term “data processor” refers to the entity doing the processing.
[ii] The General Data Protection Regulation (GDPR) has influenced many other laws. In Article 5, it lays out the principles relating to processing personal data, including that such data should be adequate, relevant, and limited to what is necessary to the purposes for which it is processed (“data minimisation”). Although the Federal Act on Data Protection (FADP) does not define the principle of data minimisation, it states in Article 4, Numeral 3, that data may only be processed for the purpose indicated at the time of collection, evident from the circumstances, or provided for by law.
[iii] Martani et al. (2020) provide a decision tree for this issue. Anonymisation eliminates the reference to a data subject/person so that the subject or person can no longer be identified.
[iv] In the academic environment this might lead to a paradoxical situation. For example, a federal institution on one side of the street is governed by federal law, whereas its cantonal counterpart on the other side of the street is subject to jurisdiction of the canton.
[v] For a comprehensive overview of laws relating to data handling in biomedical research, see Martani et al. (2020).
[vi] For a more detailed view on this, see Weber et al. (2018) and Widmer et al. (2021).
Recommendations
As data protection laws cannot follow the dynamics of Big Data development, the provision of guidelines is a better way forward. The context of obtaining consent is a field where for example the use of up-to-date mechanisms such as dynamic consent could be beneficial for individuals, their engagement, and protection of their right by maintaining their autonomy.
About the White Paper
Download PDF
- Eleonora Viganò (University of Zurich) – editor
- Mira Burri (University of Lucerne)
- Markus Christen (University of Zurich)
- Bernice Elger (University of Basel)
- Christian Hauser (University of Applied Science of the Grisons)
- Marcello Ienca (EPFL)
- Michele Loi (University of Zurich)
- Christophe Schneble (University of Basel)
- David Shaw (University of Basel)
About the ELSI Task Force
Project description on www.nrp75.ch
http://www.nfp75.ch/en/projects/cross-cutting-activity/elsi-task-force-for-the-national-research-programme