Big Data and Law
A Practitioner's Guide
Abstract
Caldarola/Schrey
Big Data and Law “Big Data” refers to large amounts of data originating from various sources which are stored, processed and analysed with specific applications to obtain all kind of (inter-) dependency analyses, environmental and trend research, and for system and production control purposes. As in data mining, knowledge discovery is a priority for Big Data applications. Big Data is now seen as a new source and a “reserve” of additional revenue. When dealing with Big Data, it is not enough to have the necessary technical expertise and infrastructure. Rather, the legal scope must also be observed. As a result of the applicability of the EU General Data Protection Regulation since 25 May 2018 and the associated potentially substantial fines for data protection infringements, data protection supervisory authorities in particular will intensify their supervisory measures and also focus their attention on Big Data applications. With numerous guidelines and graphics, this book is a practical legal guide to gathering, storing and analysing personal and other types of data in Big Data applications. It provides comprehensive, practice-oriented assistance and reliability for planning everyday business in a Big Data environment.
Zusammenfassung
Caldarola/Schrey
Big Data and Law “Big Data” refers to large amounts of data originating from various sources which are stored, processed and analysed with specific applications to obtain all kind of (inter-) dependency analyses, environmental and trend research, and for system and production control purposes. As in data mining, knowledge discovery is a priority for Big Data applications. Big Data is now seen as a new source and a “reserve” of additional revenue. When dealing with Big Data, it is not enough to have the necessary technical expertise and infrastructure. Rather, the legal scope must also be observed. As a result of the applicability of the EU General Data Protection Regulation since 25 May 2018 and the associated potentially substantial fines for data protection infringements, data protection supervisory authorities in particular will intensify their supervisory measures and also focus their attention on Big Data applications. With numerous guidelines and graphics, this book is a practical legal guide to gathering, storing and analysing personal and other types of data in Big Data applications. It provides comprehensive, practice-oriented assistance and reliability for planning everyday business in a Big Data environment.
- Kapitel Ausklappen | EinklappenSeiten
- I–XXIII Titelei/Inhaltsverzeichnis I–XXIII
- 1–14 A. Introductory remarks 1–14
- I. Why Big Data?
- II. Why must a party not established in the EU comply with GDPR with respect to Big Data applications?
- 1. General principles
- 2. Companies established in the EU (Art. 3 (1) GDPR)
- 3. Companies not established in the EU (Art. 3 (2) GDPR)
- 4. Offering of goods or services to data subjects in the EU
- 5. Monitoring the behaviour of subjects in the EU
- 6. Data processing facilities in a place where Member State law applies (Art. 3 (3) GDPR)
- 7. Limits of the scope of application – opening clauses
- 8. Most relevant opening clauses in the GDPR
- a) Data processing in employment contexts (Art. 88 GDPR)
- b) Designation of a data protection officer in cases other than Art. 37 (1) GDPR
- c) Processing carried out in the public interest or in compliance with a legal obligation
- 9. Summary
- III. Which data are affected?
- IV. What are the differences between the data types?
- V. Which verification steps need to be considered for a Big Data application?
- 15–36 B. Types of data 15–36
- I. Personal data
- 1. Definition of “personal data” pursuant to Art. 4 (1) GDPR
- 2. Identifiability of personal data (Examples)
- a) Dynamic IP addresses
- b) Personnel or customer numbers
- c) VIN/Vehicle registration numbers
- d) Special categories of personal data
- e) Location, traffic and usage data
- f) Characteristics of specific data sources
- II. Non-personal data
- III. Databases and collections
- 1. Collections of works, data or other independent elements, § 4 German Copyright Act
- 2. Database protection rights
- 3. Protection of individual elements of a database or a collection
- a) Database model
- b) Data format
- c) Interface
- IV. Protection as business or trade secret
- V. Householder’s right with regard to the collection of factual data
- VI. Virtual householder’s right
- VII. Factual data linked to IP addresses or other identifying characteristics
- VIII. No data ownership
- 37–48 C. The controller 37–48
- I. Processor
- 1. Controller-to-processor agreement (C2P)
- 2. Obligation to separate the databases
- 3. Other obligations of the processor
- 4. Securing instruments for compliance with data protection obligations of a controller of Big Data Applications with regard to the processor
- a) Selection and prior checking
- b) C2P agreement
- II. Joint controllers, Art. 26 GDPR
- 1. Internal relationship between the joint controllers
- 2. Provision of the internal agreement
- 3. External Relationship Between the Joint Controllers and the Data Subject
- III. Dynamic matrix structures
- 1. Participation in projects of multiple responsible entities
- 2. Employee secondment/supply of temporary staff
- 3. Joint controllers within the meaning of Art. 26 GDPR with regard to project participations
- IV. Cloud computing
- 1. Storing in your own cloud
- 2. Use of third-Party cloud storage
- 49–52 D. Specific requirements and tasks of the data protection officer with regard to Big Data applications 49–52
- I. Specialist knowledge
- II. Organizational and operational involvement of the data protection officer
- III. Communication with data subjects
- IV. Information and monitoring obligations
- V. Cooperation and control obligations
- VI. Internal procedure in the event of a data protection violation
- 53–70 E. Lawful ground for data processing (collection, acquisition, transmission, evaluation and commercialization) 53–70
- I. Statutory lawful grounds for personal data
- 1. Performance of a contract
- 2. Balance of interests
- 3. Works council agreements
- 4. Consent
- a) Declaration of consent
- b) Formal requirements
- c) Free Will
- d) Indication of the purpose of the collection and processing
- e) Transmission to third parties, in particular to countries outside the EU
- f) Right to withdraw consent
- g) Opt-in and opt-out solutions
- II. Processing of non-personal factual data
- 1. Processing of factual data
- 2. Obtaining data from data collections/databases
- 3. Obtaining data from Open Data projects
- 4. Data from publicly available sources
- 71–78 F. Data processing and data cycle (level of data purpose) 71–78
- I. Data processing
- II. Life cycle of data
- III. Collection of personal data for purposes other than their use in Big Data applications – a change of purpose
- 1. The purpose of data collection and processing
- 2. The “purpose” of contracts for the supply and use of data
- 3. The problem of dynamic purpose changes in Big Data applications
- a) The link between the original and new purpose
- b) The context of data collection
- c) The type of personal data
- d) Possible consequences of the intended subsequent processing for the data subjects
- e) The existence of appropriate guarantees
- 79–82 G. Third country transfer/Applicable law (Level of applicable law) 79–82
- 83–116 H. Development of a Big Data application 83–116
- I. Collection of data
- II. Obtaining and acquiring data from data service providers
- 1. Legality of the collecting data provided by a data supplier
- 2. Legitimacy of data acquisition from third parties
- 3. Rectifying deficiencies
- III. Combination of data
- 1. Lawfulness of combining different data categories at the level of data retrieval
- 2. Combining personal data from different data sources
- 3. Combining personal data with factual data or anonymous data
- 4. Combination of personal data from different countries of origin
- 5. Combining different personal data collected for different purposes
- 6. Rectifying deficiencies
- IV. Extending the range: anonymization/pseudonymization of data stored in a Big Data database
- 1. Pseudonymization (Art. 4 No. 5 GDPR)
- 2. Anonymization
- 3. Encryption and secrecy
- 4. De-anonymization for large amounts of data that allow re-identification
- 5. Data Trustee
- a) Requirements for a data trustee
- b) Contractual penalty for breach of duties or for overcoming joint management controls
- V. Transmission of data from several controllers to a central Big Data application
- VI. Evaluation and analysis of data
- 1. Lawful grounds for the evaluation and analysis of personal data
- 2. Big Data applications for the analysis of data with reference to employees or applicants
- a) Applicant analysis
- b) Employee analysis
- c) Stress and mood analyses
- d) Databases for project analysis
- e) Prohibition of completely automatically generated individual decisions
- 3. Collective agreements
- 4. Rights of the works council to participate (in Germany § 87 (1) No. 6 BetrVG)
- 5. Special cases
- a) Scoring
- b) User profile
- VII. Continuation of personal reference even after evaluation and analysis of data
- 1. Analysis of personal data records insofar as personal references still exist or can be restored
- 2. Evaluation of pseudonymized data records
- 3. Evaluation of non-personal data, factual data or anonymized data
- VIII. Use of personal data or person-related evaluation/analysis results
- 117–134 I. Erasure obligations 117–134
- I. Development of an erasure concept
- II. Implementation of a data erasure concept
- III. Necessary elements of a data erasure concept?
- 1. Description of retention and erasure obligations
- 2. What is the relevant law for determining retention and erasure obligations?
- 3. Legal retention obligations
- 4. Erasure periods for archiving data on the basis of consent
- 5. Determining erasure periods from the purpose of use, the applicable statutory provisions and the business process reference of the processed data
- 6. Types of data for which the intended use provides the basis for determining the retention period
- a) Determining a purpose and associated lawful ground for personal data
- b) Purpose and retention of non-personal data
- IV. Start times of retention and erasure obligations
- V. Assignment of data types to erasure classes
- VI. Resolution of conflicts when using one data type in different databases
- VII. What does “erasure” of data mean in contrast to its “blocking”, “masking”, “pseudonymization” or “anonymization”?
- VIII. Obligation to erase personal data regarding a data subject
- 1. Reasons
- a) Personal data
- b) Non-personal data
- 2. Date
- 3. Reasons for exclusion
- 4. Right to be forgotten
- 5. Right to limitation of processing
- IX. Erasure obligations towards licensors, data suppliers etc. independent of the data content
- X. Uniform erasure period for all documents and data
- XI. Erasure obligations for cross-border data processing
- XII. Storage locations and erasure obligations
- XIII. Four-eyes principle and documentation
- 135–146 J. Relevant rights of data subjects in Big Data applications according to the GDPR 135–146
- I. Information obligations according to Art. 13, 14 GDPR
- II. Rights of data subjects pursuant to Art. 15 et seq. GDPR
- 1. Right to access
- 2. Right to rectification
- 3. Right to erasure and to be forgotten
- 4. Right to restriction of processing
- 5. Right to data portability
- 6. Right to lodge a complaint
- III. Records of processing activities according to Art. 30 GDPR
- IV. Implementation of technical and organizational measures to protect personal data from unauthorized access
- 1. Access control
- 2. (Virtual) Access control
- 3. Admission control
- 4. Data medium control
- 5. Access and user control
- 6. Control of disclosure, transmission and transport
- 7. Input and storage control
- 8. Contract control
- 9. Availability control
- 10. Separation control
- 11. Recoverability
- 12. Reliability
- 13. Data integrity
- 14. Sanction for non-existent or inadequate technical and organizational measures
- V. General principles for the processing of personal data in Art. 5 GDPR
- 1. General principles for the processing of personal data
- 2. Principle of accountability (Art. 5 (2) GDPR)
- 3. Sanctioning a breach of these principles
- 147–148 K. Data protection impact assessment 147–148
- 149–154 L. System data protection when operating Big Data applications 149–154
- I. System data protection for personal data
- 1. Fundamental right to informational self-determination
- 2. The fundamental right to ensure the integrity and confidentiality of information technology systems
- 3. Indirect effect of fundamental rights between private individuals; Interpretation of guidelines
- 4. Ensuring confidentiality through technical and organizational measures
- II. System data protection for non-personal data only in a Big Data Application
- 155–158 M. Protection of Big Data applications 155–158
- I. Technical and organizational measures
- II. Protection of the algorithms underlying the Big Data application
- III. Compliance management system
- IV. Aspects of copyright contract law in the database management system
- 159–168 N. Legal consequences of non-compliance with the legal requirements set out in this guide 159–168
- I. Sanctions in case of violation of data protection regulations
- 1. Administrative fines
- 2. Material and non-material damages supplemented by power to bring collective actions
- 3. Misdemeanours
- 4. Entry in central trade register (loss of entitlement to participate in public tenders)
- 5. Penalties according to the BDSG
- 6. Supervisory intervention rights of the data protection supervisory authorities
- II. Legal consequences of infringement of copyrights in collective works or database protection rights
- 1. Injunctive relief
- 2. Damages claim
- 3. Enforcement of copyright claims
- 4. Destruction claim
- 5. Liability of the controller
- 6. Right to information
- 7. Criminal offences
- III. Violation of virtual householder’s rights
- 1. Injunctive relief
- 2. Damage claims
- 3. Subordinate claims
- 4. Relevance under criminal law
- IV. Sanctions for infringing business or trade secrets pursuant to the German Trade Secrets Act
- 1. Criminal offences
- 2. Civil law Claims under the German Trade Secrets Act
- V. Contractual claims
- 169–174 O. Big Data Applications as a service 169–174
- 175–176 P. Recommended Actions 175–176
- 177–178 Index of keywords 177–178
