In the digital age, technology companies play a central role in the creation, processing, and use of massive amounts of data, known as big data. The potential of big data to enhance business operations and improve the user experience is being transformed by the need to protect the privacy and rights of data subjects. Today, the legal procedures for how technology companies, which have been involved in many scandals, should comply with big data practices and the rights of data subjects under the GDPR are still highly debated.
While both the nature of data and the complexity of the sets that make up big data open an interesting universe, the legal dimension of the debate has also become extremely important. This article discusses how big data can be protected and whether data subjects can claim rights over it.
II. WHAT IS BIG DATA? HOW DO TECHNOLOGY COMPANIES USE BIG DATA?
Big data generally refers to large and complex data sets collected from a variety of sources, and by analyzing this data, patterns, trends, and relationships are identified. Insights from big data analysis enable businesses to make informed decisions, optimize processes and personalize services. Technology companies are at the forefront of data-driven innovation, using big data to deliver cutting-edge products and services.
To achieve these goals, technology companies engage in various data processing activities such as data collection, storage, aggregation, analysis and sharing. However, these activities must comply with the GDPR’s data protection principles to protect the rights and privacy of data subjects.
III. BIG DATA and GDPR
The GDPR is a comprehensive data protection regulation governing the processing of personal data within the European Union (EU) and the European Economic Area (EEA). With the implementing field provision in Article 3 of the Regulation, technology companies located outside the EU/EEA are also obliged to comply if their processing activities are carried out within the framework of the provision of goods or services to EU/EEA residents.
According to the GDPR, personal data is any information relating to a specific identifiable natural person, so big data often includes personal data such as names, email addresses or browsing behavior and is therefore subject to the requirements of the regulation.
a. Legal Basis for Big Data Processing
As it is known, to process personal data under the GDPR, one of the legal grounds specified in Article 6 must be relied upon. These legal grounds, which also apply to big data processing, can be listed as follows:
- Article 6(1)(a) GDPR: The data subject’s consent to the processing of personal data for one or more specific purposes. All the conditions for valid consent are met when the data subject gives specific, informed, and unambiguous consent. However, obtaining valid consent for big data processing can be difficult due to the amount and complexity of the data involved.
- Article 6(1)(b) GDPR: Processing is necessary for the performance of a contract to which the data subject is a party or for taking steps at the request of the data subject prior to entering a contract. The processing of personal data may be necessary for the performance of a contract with the data subject, in the context of the provision of personalized services or recommendations.
- Article 6(1)(f) GDPR: Processing is necessary for the purposes of those interests, except where the interests or fundamental rights and freedoms of the data subject requiring the protection of personal data outweigh the legitimate interests pursued by a controller or a third party, where the data subject is a child. Technology companies may choose to process personal data for big data analytics based on their legitimate interests, but care must be taken to ensure that these interests do not override the fundamental rights and freedoms of data subjects.
b. Compliance with Data Minimization and Purpose Limited Processing Principles
When working with big data, technology companies must comply with the principles of data minimization and purpose limitation in Article 5 of the GDPR. Due to the nature of big data, these principles force my data controllers while finding an application area. However, there is a risk of being penalized by the authorities if the purposes of processing the collected personal data are not sufficient and limited.
Given the vastness of big data stores, it is important for companies to implement strong anonymization or pseudonymization techniques to minimize the risk of re-identification and facilitate compliance with these principles.
c. Rights of Relevant Persons under the Transparency Principle
Transparency is one of the cornerstones of the GDPR. Technology companies are obliged to provide data subjects with clear and concise information about their data processing activities, such as the purposes, legal basis, retention periods and the rights available to the data subject.
Data subjects have several rights, as defined in Article 4(1) of the GDPR, which technology companies are obliged to provide:
- Right of Access: Data subjects have the right to know whether their personal data is being processed and to access relevant information.
- Right to Rectification: Data subjects have the right to request rectification of inaccurate or incomplete personal data.
- Right to be Forgotten: Also known as the “Right to Erasure”, this right allows data subjects to request the erasure of their personal data under certain conditions.
- Right to Restrict Processing: Data subjects have the right to restrict the processing of their personal data in certain circumstances.
- Right to Data Portability: Data subjects can make a request to receive and transfer their personal data to another controller in a structured, commonly used, and machine-readable format.
d. Profiling and Automated Decision-Making Processes
Big data sets contain profiling by their very nature. Since profiling processes are based on the automated processing of personal data, the behavior, preferences or, in some cases, even personal characteristics of the data subjects are analyzed. Through profiling, important processes such as personalized advertisements, credit assessments or job opportunities can be offered to individuals. Pursuant to Article 22 of the GDPR, data subjects have the right not to be subjected to automated processing decisions, including profiling, which have legal or similar important consequences only if appropriate measures have been taken or explicit consent has been obtained.
In the ever-changing and evolving big data ecosystem, technology companies must take a few measures to comply with the complex regulatory obligations imposed by the GDPR. As explained in detail above, full compliance with the principles under the law and the obligations defined for the data controller will make the use of big data privacy compliant. In the digital age, it is easy for individuals to exercise their rights but extremely difficult to protect them, while compliance processes under the GDPR will encourage innovation and continuously grow the data-driven marketplace.