computer law & security review 32 (2016) 696–714

Available online at www.sciencedirect.com

ScienceDirect

w w w. c o m p s e c o n l i n e . c o m / p u b l i c a t i o n s / p r o d c l a w. h t m

Data analytics and consumer profiling:

Finding appropriate privacy principles for
discovered data

Nancy J. King a,*, Jay Forder b

a
College of Business, Oregon State University, Corvallis, Oregon, USA
b
Law Faculty, Bond University, Gold Coast, Australia

A B S T R A C T

Keywords: In Big Data, the application of sophisticated data analytics to very large datasets makes it
Big Data possible to infer or derive (“to discover”) additional personal information about consum-
Data analytics ers that would otherwise not be known from examining the underlying data. The discovery
Consumer profiling and use of this type of personal information for consumer profiling raises significant in-
Privacy formation privacy concerns, challenging privacy regulators around the globe. This article
Data protection finds appropriate privacy principles to protect consumers’ privacy in this context. It draws
insights from a comparative law study of information privacy laws in the United States and
Australia. It examines draft consumer privacy legislation from the United States to reveal
its strengths and weaknesses in terms of addressing the significant privacy concerns that
relate to Big Data’s discovery of personal data and subsequent profiling by businesses.
© 2016 Nancy J. King & Jay Forder. Published by Elsevier Ltd. All rights reserved.

datasets and technical advances in data analytics, Big Data has

1. Introduction
Governments and commentators around the world are won-
dering how to best protect consumers’ privacy in the world of
Big Data, with notable policy analysis being issued by Euro-
pean regulators and the Office of the President in the United
States (The White House).1 Fueled by the availability of vast
the potential to provide big value to citizens, businesses and
governments.2 It is the next giant leap in the knowledge revo-
lution. Enormous quantities of data are being collected into
digital databases from many sources such as Internet activ-
ity, satellites, sensors, RFID tags and GPS-enabled devices like
cameras and smartphones.3Analysis of this data by Big Data
facilitates data-directed decision-making, which, according to

* Corresponding author. College of Business, Oregon State University, Corvallis, Oregon, USA.
E-mail address: kingn@bus.oregonstate.edu (N.J. King).
1
See, for example, Big Data: Seizing Opportunities, Preserving Values, Exec. Office of the President, Under Discussion United States (May
2014) (White House Report on Big Data); Meeting the Challenges of Big Data, A call for transparency, user control, data protection and
accountability, European Data Protection Supervisor, European Union, Opinion 7/2015 (NOV. 19, 2015) (EDPS OPINION ON BIG DATA).
2
See generally, Christopher Kuner et al., The Challenge of “Big Data” for Data Protection, 2(2) Int’ Data Privacy L. 47 (2012); K. Krawsnow
Waterman & Paula J. Bruening, Big Data Analytics: Risks and Responsibilities, 4(2) Int’l Data Privacy L. 89 (2014).
3
Working Paper on Big Data and Privacy, Privacy principles under pressure in the age of Big Data analytics, International Working Group
on Data Protection in Telecommunications, 55th Meeting, SKOPJE, p. 3 (item 9) (May 5–6, 2014) (Berlin Group Working Paper on Big Data
and Privacy) http://www.datenschutz-berlin.de/attachments/1052/WP_Big_Data_final_clean_675.48.12.pdf?1407931243 (last visited Feb. 15,
2016).
http://dx.doi.org/10.1016/j.clsr.2016.05.002
0267-3649/© 2016 Nancy J. King & Jay Forder. Published by Elsevier Ltd. All rights reserved.
 computer law & security review 32 (2016) 696–714
recent research, helps companies improve productivity and
managerial performance.4 Further, Big Data’s use of data ana-
lytics helps companies offer personalized goods and services,
deliver targeted marketing communications, strengthen com-
panies’ information security systems and prevent fraud.5
Consumer profiles produced in Big Data are not limited to
simple compilations of factual information about consumers
that has been collected from consumers during their direct in-
teractions with companies. Instead, Big Data facilitates
construction of consumer profiles to include other personal data
that has been derived or inferred through data analytics, the
so called “fruits” of data analytics.6 In this article, we refer to
the fruits of data analytics as “discovered data”.7 Consumer pro-
files so constructed in Big Data “can be exceptionally detailed,
containing upwards of thousands of pieces of data”.8 As The
White House concluded “more often than not, consumers do
not understand the degree to which they are a commodity”9
in Big Data and “there remains the potential for a disquieting
asymmetry between consumers and the companies that control
information about them”.10
The primary aim of this article is to help global regulators
find appropriate privacy principles and use them to craft leg-
islation to protect consumers’ information privacy in Big Data,
a goal that has been taken-up by policy-makers, regulators and
scholars in many other countries.11 In the European Union, the
European Data Protection Supervisor (EDPS) emphasizes the
importance of meeting consumer privacy challenges associ-
4
Omer Tene & Jules Polonetsky, Big Data for All: Privacy and User
Control in the Age of Analytics, 11(5) Nw, J. Tech. Intell. Prop., 239, 243-
44 (2013) (summarizing studies that show companies using “data-
directed decision-making” are more productive and there is a strong
link between effective data management strategy and financial per-
formance).
5
Tene & Polonetsky, supra note 4, at 249–251.
6
White House Report on Big Data, supra note 1, at 44; Water-
man & Bruening, supra note 2, at 89. In this article, the authors use
the terms “data” and “information” to mean the same thing.
7 14
Discovered data includes data described as “modeled data” in
the White House Report on Big Data, supra note 1.
8
White House Report on Big Data, supra note 1, at 44.
9
White House Report on Big Data, supra note 1, at 41 (discuss-
ing the advertising-supported ecosystem of Big Data).
10
White House Report on Big Data, supra note 1, at 39.
11
See generally, White House Report on Big Data, supra note 1; Big
Data and Privacy: A Technological Perspective, Report to the Presi-
dent, Executive Office of the President, President’s Council of
Advisors on Science and Technology, United States, ix (May 2014)
(Big Data and Privacy: A Technological Perspective); Big Data: Seizing
Opportunities, Preserving Values, Interim Progress Report, Execu-
tive Office of the President, United States (Feb. 2015) (Interim Progress
Report); FTC Report, Big Data, A Tool for Inclusion or Exclusion,
Federal Trade Commission, United States (Jan. 2016) (FTC Report,
Big Data); Data Brokers, A Call for Transparency and Accountabil-
ity, Federal Trade Commission, United States (May 2014) (FTC Data
Broker Report); EDPS Opinion on Big Data, supra note 1; Berlin Group
Working Paper on Big Data and Privacy, supra note 3; Comments
of the Information Accountability Foundation, Before the Na-
tional Telecommunications & Information Administration,
Department of Commerce, Washington, D.C., United States (Aug.
4, 2014) (IAF Comments), http://informationaccountability.org/
wp-content/uploads/TIAF-Big-Data-Comments-for-NTIA.pdf.
697
ated with Big Data’s application of data analytics.”12 According
to the EDPS, these privacy challenges include “lack of trans-
parency” between organizations that process personal data
about individuals and those individuals, with organizations
claiming “secrecy over ‘how’ data is processed on grounds of
commercial confidentiality”.13 The EDPS predicts “informa-
tional imbalance between the organisations who hold the data
and the individuals whose data they process is likely to in-
crease with the deployment of big data applications.”14
Another aim of this article is to contribute ideas to the
ongoing effort in the United States to adopt federal con-
sumer privacy legislation that protects consumers’ privacy in
the era of Big Data.15 Following comprehensive study of the need
to protect consumers’ information privacy in Big Data, a dis-
cussion draft of legislation for a federal consumer privacy law
was issued by the Office of the President in 2015.16 This article
analyzes the strengths and weaknesses of this discussion draft
and makes suggestions to improve it in order to address sig-
nificant privacy concerns related to the discovery of personal
data through data analytics and its use for consumer profiling.
Following this introduction, Section 2 provides an over-
view of Big Data, describing how the industry’s use of data
analytics facilitates consumer profiling by businesses. Section
3 identifies important consumer privacy concerns associated
with Big Data’s use of data analytics to discover personal data
for consumer profiling. Section 4 argues that the scope of in-
formation privacy legislation should include discovered data
that is also personal data. Section 5 applies recognized prin-
ciples of data protection and privacy to the context of personal
information discovered through data analytics, providing sug-
gestions for drafting consumer privacy legislation to encompass
discovered personal information and its use for consumer pro-
filing. These drafting suggestions benefit from a comparative-
law analysis of consumer privacy principles found in
information privacy laws in the United States and Australia.17
12
See generally, EDPS Opinion on Big Data, supra note 1.
13
EDPS Opinion on Big Data, supra note 1, at 8.
EDPS Opinion on Big Data, supra note 1, at 8.
15
Consumer Data Privacy in a Networked World: A Framework for
Protecting Privacy and Promoting Innovation in the Global Digital
Economy, The White House, Washington, D.C., United States (Feb.
2012) (2012 CPBR) (announcing the Obama administration’s vision
for new federal consumer privacy legislation requiring private-
sector businesses to follow seven Fair Information Privacy Principles
(FIPPs) that are collectively referred to in this policy paper as “The
Consumer Privacy Bill of Rights”), http://www.whitehouse.gov/sites/
default/files/privacy-final.pdf. Gregory, et al., President Obama’s Plans
for Cybersecurity, Broadband, and “Big Data,” Lexology (Jan. 15, 2015).
16
The document titled “Administration Discussion Draft: Con-
sumer Privacy Bill of Rights Act of 2015” was released by The White
House on February 28, 2015 (Discussion Draft), http://www
.whitehouse.gov/sites/default/files/omb/legislative/letters/cpbr-
act-of-2015-discussion-draft.pdf (last visited Feb. 2, 2016). To date,
no proposed consumer privacy legislation has been introduced in
Congress to implement the FIPPS announced in the 2012 CPBR, supra
note 15, or in the Discussion Draft.
17
The Privacy Amendment (Enhancing Privacy Protection) Act 2012
(Cth) amended the Australian Privacy Act 1968 (Cth). It amalgam-
ated the two sets of privacy principles which had previously
operated in different spheres into one set of 13 Australian Privacy
Principles (APPs). It took effect on March 12, 2014.
698 computer law & security review 32 (2016) 696–714
Section 6 looks at how well the discussion draft of federal con-
sumer privacy issued by the Office of the President of the United
States, if introduced into Congress as proposed legislation and
adopted into law, would protect consumers’ privacy related to
discovered personal information and its use for consumer pro-
filing. Finally, Section 7 offers conclusions.
2. Overview of Big Data, data analytics and
consumer profiling
The Big Data industry’s use of data analytics technologies fa-
cilitates pervasive and potentially privacy-intrusive profiling
of individuals. Privacy concerns regarding profiling of indi-
viduals, whether conducted by governments, businesses or
other data controllers, have concerned privacy regulators and
scholars for several years.18 With the advent of Big Data and
the advances in data analytics technologies, it is now time to
examine the privacy implications of consumer profiling by
businesses.
Simply put, “profiling is the process of discovering corre-
lations between data in databases that can be used to identify
and represent” a data subject and/or to place the data subject
in a group or category.19 Many of the business advantages that
flow from Big Data relate to the industry’s involvement in pro-
ducing detailed consumer profiles that describe individuals or
categorize them as part of a group, for example, to include or
exclude individual consumers from a desirable market
segment.20 In the context of this paper, Big Data applies data
analytics technologies to databases to produce a dataset (con-
sumer profile) that identifies or categorizes an individual person
(data subject). Commercial purposes for consumer profiling
include helping companies to assess business opportunities
or risks regarding individual data subjects.21
So, what then is Big Data? In simple terms, it refers to the
exponential growth and availability of data. Given the absence
of a universally accepted definition, Big Data is usually de-
scribed by reference to key characteristics which distinguish
it from other collections of data. Most descriptions incorpo-
rate the three “v” characteristics identified by the research
18
See, for example, Recommendation CM/REC (2010)13 of the Com-
mittee of Ministers to member states on the protection of individuals
with regard to automatic processing of personal data in the context
of profiling (Adopted by the Committee of Ministers at the 1099th
meeting of the Ministers’ Deputies), Council of Europe (NOV. 23, 2010);
European Union’s Directive 95/46/EC of 24 October 1995 on the pro-
tection of individuals with regard to the processing of personal data
and on the free movement of such data, OJ L 281, 23.11.1995 (EU
Data Protection Directive); Advice paper on essential elements of
a definition and a provision on profiling within the [Proposed] EU
General Protection Regulation, Article 29 Data Protection Working
Party, European Union (May 13, 2013).
19
See Bart W. Schermer, The Limits of Privacy in Automated Profiling
and Data Mining, 27 Computer L. Sec. Rev. 45, 45 (2011); Mireille
Hildebrandt, Defining Profiling: A New Type of Knowledge?, in Profil-
ing the European Citizen, Cross-Disciplinary Perspectives 19 (Springer
Science, Mireille Hildebrandt and Serge Gutwirth, eds., Springer
Science, 2008) (Profiling the European Citizen).
20
Schermer, supra note 19, at 45.
21
Profiling the European Citizen, supra note 19, at 19–20.
company, Gartner: the volume of data, the velocity (meaning
the speed) with which it is being produced, and the variety of
sources and types.22 Thus, for example, Kshetri cites Gartner.com
when describing Big Data as “high-volume, high-velocity and
high-variety information assets that demand effective, inno-
vative forms of information processing for enhanced insight
and decision making.”23 Some commentators suggest addi-
tional characteristics for Big Data, such as variability (the peaks
and troughs in data flow) and complexity (the challenges of
making sense of the data).24 The International Working Group
on Data Protection in Telecommunications (The Berlin Group)
provides a pragmatic description of Big Data:
Big Data is a term which refers to the enormous increase
in access to and automated use of information. It refers to
the gigantic amounts of digital data controlled by compa-
nies, authorities and other large organizations which are
subjected to extensive analysis based on the use of
algorithms.25
Big Data can also be described as a value chain comprised
of four basic stages: data collection; data storage and aggre-
gation; data analysis; and use of the results.26 There are many
stakeholders that operate in this value chain. Given this arti-
cle’s focus on private-sector stakeholders, major players include:
search engines; hardware, software and operating system
vendors; social networks; retailers; data brokers; advertising
networks; and telephone providers.27
Any description would be lacking if it ignored Big Data’s role
in making sense of vast amounts of data. As the President’s
Council of Advisors on Science and Technology have noted:
[Data] analytics is what makes Big Data come alive. Without
analytics, big datasets could be stored, and they could be
retrieved, wholly or selectively. But what comes out would
be exactly what went in. . . . Big Data is big in two senses.
It is big in the quantity and variety of data that are avail-
able to be processed. And it is big in the scale of analysis
(termed “analytics”) that can be applied to those data, ul-
timately to make inferences and draw conclusions.28
It is the combined effect of the amount of data to be ana-
lyzed and the scale of analysis applied to the data which
distinguishes Big Data. To appreciate the combined effect of
22
Gartner, Big Data (2013), http://www.gartner.com/it-glossary/
big-data/.
23
Nir Kshetri, Big Data’s Impact on Privacy Security and Consumer
Welfare, 38 Telecomm. Pol’y 1134, 1134 (2014).
24
Keith Gordon, Big Data Technologies in BCS, The Chartered Insti-
tute for IT (eds), Big Data: Opportunities and Challenges, BCS
Learning and Development, at 4–5 (2014).
25
See Berlin Group Working Paper on Big Data and Privacy, supra
note 3, at 1.
26
See Berlin Group Working Paper on Big Data and Privacy, supra
note 3, at 18.
27
Stakeholders may be involved in more than a single compo-
nent of the value chain. See Berlin Group Working Paper on Big Data
and Privacy, supra note 3, at 18.
28
Big Data and Privacy: A Technological Perspective, supra note
11, at ix.
 computer law & security review 32 (2016) 696–714
these developments in facilitating enhanced consumer pro-
filing by businesses, one also needs to consider: the variety of
sources and sheer quantity of consumer data available for
analysis in Big Data; how application of data analytics to the
sources and quantity of data in Big Data may create more per-
sonal data; and how the data so created may be used by
companies that are engaged in profiling consumers.
2.1. Sources and quantity of data
Big Data collects data from a wide variety of sources, both online
and offline.29 These databases may include digital data (so called
“born digital”), as well as data that is not digital at its incep-
tion (so called “born analog”) that may subsequently be captured
in digital form.30 Data collected in this way may encompass
data volunteered by individuals (such as hobbies and inter-
ests declared by users on Social Networks or blogs); data
observed about individuals (such as location information,
browser history, shopping habits); data inferred about indi-
viduals (such as credit ratings, profiles built from online
activities); and data that is included in legal sources (such as
patient records and tax records).31
Sources of large quantities of consumer data available in
Big Data include data that have not been collected directly from
consumers and data that may have been collected for other
purposes. Examples of secondary sources of data include: data
collected from the government (for example, federal census data
about the demographics of people living in certain city blocks
including ethnicity, age, education level and occupations); data
collected from other publicly available sources (for example,
data obtained by crawling social media and blogs); and data
collected from other businesses that sell or share consumer
data (such as retailers or registration websites where consum-
ers provide data when registering or logging in to obtain
services).32 Data brokers are one type of key businesses in-
volved in Big Data that may obtain consumer data from
secondary sources like other businesses or governments, as
opposed to collecting the data directly from consumers.33
Big Data’s capacity to analyze many sources of data and vast
quantities of data make it a challenge to regulate privacy using
existing approaches to privacy regulation that are often based
on underlying assumptions that data should be primarily col-
lected directly from the data subject and that data processing
should be limited to the primary purposes of its collection. The
reality is that many participants in the Big Data industry, such
as data brokers, are not “consumer-facing,” meaning that they
29
White House Report on Big Data, supra note 1, at 5 (providing
a partial list of the sources and formats of Big Data).
30
Big Data and Privacy: A Technological Perspective, supra note
11, at 19–20 (Digital data typically are “accompanied by ‘metadata’
or ancillary data that explain the layout and meaning of the data
they describe. For example, databases have schemas and emails
have headers, as do network packets.”). Digital data and metadata
may include identifying information such as account numbers, login
names, and passwords. Id.
31
Berlin Group Working Paper on Big Data and Privacy, supra note
3, at 18 (providing examples of the manner that personal data are
collected in the Big Data value chain).
32
FTC DATA Broker Report, supra note 11, at 11–13.
33
FTC Data Broker Report, supra note 11, at 13–14.
699
do not deal directly with consumers. Instead, participants in
Big Data typically access consumer data from secondary sources
and process that data for purposes that were not known at the
time data was initially collected.34 These characteristics of Big
Data may result in a lack of transparency for consumers that
complicate efforts to ensure their information privacy.
2.2. Applying data analytics to discover additional
profiling data
Another key feature of the Big Data industry is its use of ad-
vanced data analytics.35 Industry stakeholders engaged in this
segment of the value chain benefit from constant increases in
computing power and the availability of sophisticated tools to
analyze data. The use of computer algorithms, described as se-
quences of steps and instructions that can be applied to
datasets, is a key characteristic of data analytics.36 As noted
by The Berlin Group:
A central element in the creation of value at this step is to
merge data from various different sources to generate pro-
files and use analysis tools to derive information which would not
otherwise be available. . .. Examples of analysis techniques as-
sociated with Big Data include: Data Mining, Machine
Learning, Social Network Analysis, Predictive Analytics,
“Sensemaking”, Natural Language Processing and
Visualization.37
In Big Data, data analytics may be used to produce new data
that goes beyond simply collecting and aggregating indi-
vidual pieces of consumer data that are already contained in
an existing database (so called “direct data,” “raw data,” or
“actual data”).38 When multiple sources of data are combined
34
FTC Data Broker Report, supra note 11, at 8–9 (reporting the
results of an in-depth study of the business practices of nine data
brokers in the United States).
35
“Modern information processing ranges from transactions to
statistics to advanced analytics that we call big data.” IAF Com-
ments, supra note 11, at 2.
36
See, White House Report on Big Data, supra note 1, at 46; Berlin
Group Working Paper on Big Data and Privacy, supra note 3, at 18
(explaining “Algorithms generate categories for filtering informa-
tion, operate on data, look for patterns and relationships, or generally
assist in the analysis of information component of data analyt-
ics.” The steps included in an algorithm are informed by the author’s
knowledge, motives, biases and desired outcomes; however, the
output of an algorithm may not reveal any of those elements, nor
may it reveal the probability of mistaken outcomes, arbitrary choice
or the degree of uncertainty in the process.). See also, White House
Report on Big Data, supra note 1, at 46 (commenting “the final
computer-generated product or decisions [resulting from applica-
tion of an algorithm to data in the data analytics stage of Big Data]
– used for everything from predicting behaviour to denying op-
portunity – can mask prejudices while maintaining a patina of
scientific objectivity”). Governments are also customers of the Big
Data Industry. Because this paper focuses on consumer privacy
issues related to discovered data for commercial profiling by the
private-sector, it does not discuss government uses of discovered
data to profile citizens.
37
Berlin Group Working Paper on Big Data and Privacy, supra note
3, at 5 (emphasis added by authors).
38
FTC Data Broker Report, supra note 11, at 19.
700 computer law & security review 32 (2016) 696–714
into very large datasets for analysis, it is possible to make in-
ferences or draw conclusions about individuals that would not
otherwise be retrievable from the datasets.39 In some cases, the
application of data analytics in Big Data may reveal personal
data, including sensitive personal data, from de-identified or
aggregate datasets.40 This article uses the term “discovered data”
to refer to the types of new information that may be pro-
duced by applying data analytics to datasets available in Big
Data, recognizing that this type of data has also been de-
scribed as inferred, derived data or even modeled data.41
There are at least two sources of discovered data about con-
sumers that may be produced through application of big data
analytics to databases. First, “personal data may be inferred by
the processing and analysis of data collected for previous and
other purposes”. 42 Second, “personal data may also be
derived from various sets of information that appear to be
anonymous”.43
Research shows that data analytics, when applied to non-
personal data, including “aggregated”44 datasets that have
supposedly been de-identified, may reveal the identities of in-
dividuals behind the data, thus converting non-personal data
back to personally-identifying data.45 Further, Big Data’s ap-
plication of data analytics may facilitate discovery of sensitive
personal attributes about consumers that consumers may prefer
not to share with others for profiling purposes, such as their
sexual orientation, financial status, or race, or whether they
are pregnant or suffering from a particular disease.46 For
example, research examining the digital records of consum-
39
White House Report on Big Data, supra note 1, at 44 (discuss-
ing how profiling in Big Data produces products that include factual
information about individuals as well as “modeled” elements that
have been “inferred” from other data); Waterman & Bruening, supra
note 2, at 89 (commenting that “Big data analytics sifts through
mountains of data to identify or predict facts about individuals and
to use those facts in decisions ranging from which products to sell
them to whether to provide them medical treatment”).
40
IAF Comments, supra note 11, at 2.
41
White House Report on Big Data, supra note 1, at 44.
42
Berlin Group Working Paper on Big Data and Privacy, supra note
3, at 4, 12(v) (emphasis in original).
43
Berlin Group Working Paper on Big Data and Privacy, supra note
3, at 4, 12(v) (emphasis added).
44
Companies that collect data may thereafter aggregate the data
for the purpose of obtaining insight “regarding a group of indi-
viduals, not individual persons,” for example, by displaying data
as sum totals. Berlin Group Working Paper on Big Data and Privacy,
supra note 3, at 4 (n.16).
45
The term personal data, or “personally-identifying informa-
tion,” has various definitions under different laws. There is a trend
in privacy laws to broadly define personal data to include data that
can reasonably reveal the identity of a person as well as data as-
sociated with device identifiers. See discussion, infra, notes 82 and
86 and accompanying text (providing examples of privacy laws that
include internet protocol (IP) addresses and similar persistent iden-
tifiers for consumer devices under the definition of personal data).
46
Kshetri, supra note 23, at 1137 (summarizing studies that show
data analytics may be used to make predictions of personal attri-
butes about consumers that reveal sensitive personal information
about consumers; this is the case even if the underlying data ana-
lyzed is not personally-identifying information). See also, Kosinski,
et al., Private traits and attributes are predictable from digital records
of human behavior, Proceedings of the National Academy of Sciences,
1 (2013), at http://www.pnas.org/content/110/15/5802 (Feb.2 2, 2016).
ers’ social networking behavior shows the feasibility of
“automatically and accurately predict[ing] a range of highly sen-
sitive personal attributes including: sexual orientation, ethnicity,
religious and political views, personality traits, intelligence, hap-
piness, use of addictive substances, parental separation, age
and gender,” in situations where these personal attributes of
social network users were not actually recorded in the datasets
that were analyzed.47
Data brokers are key players involved in applying data ana-
lytics to discover data to include in consumer profiles.48 Despite
their key role in the Big Data value chain, most of the data col-
lection and processing activities of data brokers in Big Data are
not currently governed by federal privacy laws in the United
States.49 This is not the case in many other parts of the world
where comprehensive data protection legislation that may
protect consumers’ privacy in Big Data exists. For example, in
the European Union, existing data protection laws apply to data
processing activities in Big Data.50
2.3. Using discovered data for consumer profiling
Highly detailed consumer profiles facilitated by Big Data may
be produced in near real-time, with the goal of helping com-
panies to better predict individual preferences and behaviors
of consumers in order to deliver just the right message, product
or service to individual consumers.51 Consumer profiles, in-
cluding those that include discovered data, may be used by
businesses for a variety of commercial purposes such as: fa-
cilitating direct, online and mobile marketing (e.g., personalized
targeted marketing and online behavioral advertising); pro-
viding risk mitigation for online and offline business contexts
(including identity verification and fraud detection); and en-
abling consumers to locate other people either online or offline
(e.g., friend finding services related to consumers’ use of social
networking).52 It is likely that consumer profiling utilizing data
47
Kosinski et al., supra note 46, at 1.
48
FTC Data Broker Report, supra note 11, at 19.
49
FTC Data Broker Report, supra note 11, at i (most data collec-
tion, processing and sale activities of data brokers are not currently
regulated under federal Fair Credit Reporting Act).
50
See Statement of the WP29 on the impact of the development
of Big Data on the protection of individuals with regard to the pro-
cessing of their personal data in the EU, Article 29 Data Protection
Working Party, European Union (Sept. 16, 2014). When it comes into
effect, the European Union’s newly adopted General Data Protec-
tion Regulation will replace the EU Data Protection Directive, supra
note 18, and it will also apply to data brokers and other stake-
holders in Big Data. See generally, Press Release, Data protection
package: Parliament and Council now close to a deal, European Par-
liament News (Dec. 15, 2015), http://www.europarl.europa.eu/
news/en/news-room/20151215IPR07597/Data-protection-package-
Parliament-and-Council-now-close-to-a-deal.
51
White House Report on Big Data, supra note 1, at 7. Compa-
nies may use data analytics for purposes other than consumer
profiling, e.g., to estimate and predict business performance. Id.
52
Berlin Group Working Paper on Big Data and Privacy, supra note
3, at 18; FTC Data Broker Report, supra note 11, at 22–35 (reporting
that data brokers may store data in the form of individual con-
sumer profiles that contain a consumer’s contact and demographic
information or using unique identification numbers).
 computer law & security review 32 (2016) 696–714
discovered through application of data analytics will enable
companies to provide enhanced personalization of digital
systems and devices for consumers, such as personalized shop-
ping experiences. Many companies are involved in using
consumer profiling for commercial purposes, including search
engine providers, hardware, software and operating systems
vendors, social networks, advertisers, retailers, consumer credit
companies, telephone providers, and health services
companies.53
In sum, consumer profiling, enhanced with data discov-
ered through data analytics applied in Big Data, aims to improve
the “relevance of marketing and product recommendations [of
companies] . . . by adding psychological dimensions to current
users’ [profiles].”54 However, as explored in the next section,
there is a need to look closely at the possible privacy harms
for consumers that relate to this type of profiling and to con-
sider whether adopting consumer privacy protections may
mitigate those harms.
3. Privacy concerns about discovered data
and consumer profiling
The use of discovered data for consumer profiling raises
distinctive consumer privacy concerns due to the possibility
of deriving “non-obvious private information . . . from data
that, at the time of their collection, seemed to raise no, or
only manageable, privacy issues”.55 More precisely, “one can
never know what information may later be extracted from
any particular collection of big data, both because that infor-
mation may result from the combination of seemingly unrelated
data sets, and because the algorithm for revealing the new
information may not even have been invented at the time of
collection”.56
To illustrate the nature of the privacy issues that arise in
Big Data when data analytics are applied to vast databases for
the purpose of discovering data to include in consumer pro-
files, it is helpful to consider a specific context, such as online
behavioral advertising (OBA).57 In OBA, highly-detailed knowl-
edge profiles about consumers are constructed for use in
generating targeted advertising. In this context, at least five dif-
ferent privacy risks arise.58
53
Berlin Group Working Paper on Big Data and Privacy, supra note
3, at 18 (listing stakeholders in the usage segment of the Big Data
value chain, which also include the public sector).
54
Kosinski et al., supra note 46, at 8.
55
Big Data and Privacy: A Technological Perspective, supra note
11, at ix.
56
Big Data and Privacy: A Technological Perspective, supra note
11, at ix.
57
Self-Regulatory Principles for Online Behavioral Advertising,
Federal Trade Commission, United States (2009).
58
See generally, Nancy J. King & Pernille Wegener Jessen, Profiling
the Mobile Customer, Part I, 26 Computer L. Sec. Rev. 455, 457 (2010).
701
3.1. Data protection
Big Data gives rise to several personal data protection risks.59
These include the high likelihood that consumers will not be
aware of, or able to exercise control over, the production and
use of discovered data about themselves. They will also find
it difficult to prevent the misuse of discovered data that may
cause significant harm, including potential exposure of sen-
sitive information that consumers may prefer to keep private.
There is a need to find an appropriate balance between con-
sumers’ data protection rights and the rights of companies to
discover, use and share discovered data for commercial pur-
poses. As pointed out above, one of the difficulties when
assessing these data protection risks is that Big Data in-
cludes “non-consumer facing” businesses. Nor are consumers
likely to be aware of how discovered data is used and shared
by industry stakeholders for a variety of commercial applica-
tions that involve consumer profiling or the possible impacts
of such profiling. To address consumers’ data protection risks
requires rethinking how fair information practices principles
should be employed by companies to protect consumers’
privacy.
3.2. Surveillance
One of the privacy risks associated with the discovery of per-
sonal data through data analytics is that it is akin to secret
surveillance. The discovery of personal data through data ana-
lytics is analogous to the privacy intrusion associated with
pervasive online and offline commercial tracking of consum-
ers and collection of observed behavior for OBA.60 Privacy
intrusions arise when consumers are not aware of the extent
that Big Data gathers personal information about consumers
and that data analysis of the underlying datasets enables further
discovery of non-obvious private information that can also be
used for consumer profiling. Such intrusions raise broader
privacy issues related to personal autonomy and liberty, not
59
The term data privacy or information privacy is often used to
describe data protection in the United States and are used inter-
changeably in this article. These terms encompass consumers’ rights
to have their personal data handled according to fair information
practices principles that have been broadly recognized in differ-
ent international instruments and in many countries’ laws. See, for
example, 2012 CPBR, supra note 15, at 9 (n.9).
60
See, e.g., Stalkers, Inc., The Economist (Sept. 13, 2014) (arguing “sur-
veillance is the advertising industry’s new business model” and
“privacy needs better protections”); Watched: A Wall Street Journal
Privacy Report, The Wall St. J. Online (2012), http://www.wsj.com/
public/page/what-they-know-digital-privacy.html (last visited Feb.
2, 2016). See also, Tene & Polonetsky, supra note 4, at 251 (comment-
ing that the accumulation of personal data has an “incremental
adverse effect” on privacy; “once any piece of data has been linked
to a person’s real identity, any association between this data and
a virtual identity breaks anonymity of the latter”).
702 computer law & security review 32 (2016) 696–714
just data protection concerns.61 The problem of pervasive,
secret surveillance of consumers by businesses has been de-
scribed as one of “information imbalance” or “information
asymmetry”.62 In the context of discovered data and con-
sumer profiling, it describes a problem that results from
consumer not being aware of the profiling and not having access
to their profiles that include discovered data. A consumer who
is not privy to information about herself is also not likely to
understand or alter her behavior in a transaction with the seller
in order to avoid a potentially negative or harmful result from
the profiling, for example, by seeking to correct errors in her
profile or trying to find another seller who offers better terms.63
3.3. Privacy-intrusive commercial solicitations
Another privacy risk associated with the discovery of per-
sonal data using data analytics is the possibility that consumers
may receive privacy-intrusive commercial solicitations that have
been tailored for them using this type of data. Advertise-
ments generated on the basis of consumer profiles built on
discovered data may disclose embarrassing or otherwise private
information to others. A well-known example of this type of
privacy-intrusive commercial solicitation is Target Stores’ ad-
vertising of pregnancy and baby-related products that were sent
to a teenager who was profiled as pregnant based on obser-
vations of her shopping behavior. When the teenager’s father,
who had not yet been told of the pregnancy, became aware of
the advertisements, he also learned about his daughter’s
pregnancy.64 The list of possible sensitive personal data that
could be inferred or derived through data analytics is endless,
including medical conditions or treatment, sexual behavior or
orientation, impending divorce or death in the family, finan-
cial difficulties, interest in changing employment or retirement,
etc.
3.4. Security risks
There are heightened data security concerns that relate to dis-
covered data and its use in consumer profiling. One such
security concern is that the discovery of data through data ana-
lytics and its use in consumer profiling may expose consumers
to additional risks of being victims of online fraud or identity
61
EDPS Opinion on Big Data, supra note 1, at 8 (quoting from a
report issued by the Office of the President of the United States:
“some of the most profound challenges revealed during this review
concern how big data analytics may . . . create such an opaque
decision-making environment that individual autonomy is lost in
an impenetrable set of algorithms.”) The EDPS concluded that in-
dividuals must be provided with appropriate information and control
to avoid a situation in which individuals will be “subject to deci-
sions that they do not understand and have no control over.” Id.
62
EDPS Opinion on Big Data, supra note 1, at 8; King & Jessen, supra
note 58, at 459–461.
63
King & Jessen, supra note 58, at 459–461.
64
Karl S. Kruszelnicki, Pregnant, Big Data is Watching You, ABC Science
(Apr. 15, 2014) (discussing how Target Stores used data analytics
to construct a pregnancy prediction score, so that it could send mar-
keting communications tailored for pregnant customers),
http://www.abc.net.au/science/articles/2014/04/15/3985934.htm (last
accessed Feb. 2, 2016).
theft. For example, data analytics applied to combined data-
bases of supposedly anonymous aggregated data may reveal
the identity of consumers behind the data, thus converting ag-
gregate data to personally-identifying information. This practice
may enhance the likelihood that consumers will receive fraudu-
lent solicitations by enhancing the ability of the sender to make
it appear to be sent from trusted sources. Additionally, it is likely
that converting large databases of aggregate data to personally-
identifying data would make these sources more attractive to
hackers and identity thieves, thus increasing the risk that con-
sumers will become victims of identity theft.65 A second security
concern is that these Big Data activities may result in con-
sumers being erroneously profiled as persons engaged in
identity fraud.66 This concern arises because there is the pos-
sibility that discovered information may be erroneous, leading
to profiling certain consumers as likely engaged in identity
fraud, when in fact they are not. This outcome would create
serious hurdles for consumers who are attempting to estab-
lish their identities in order to engage in commercial
transactions.67
3.5. Exposure to hidden unfair commercial practices
This privacy risk and associated harm may arise when data
analytics are applied to vast databases to discover which con-
sumers are likely to be willing to pay higher prices than other
consumers for certain goods.68 While personalized pricing may
be lawful and fair under most circumstances, in the context
of discovered information in Big Data, its use gives sellers an
unfair advantage if it makes consumers worse off, yet con-
sumers have little knowledge of the reasons why this is the
case.69 Further, it is recognized that discovered data may be
erroneous, since it reflects statistical correlations and predic-
tions that have known sources of error.70
65
See Berlin Group Working Paper on Big Data and Privacy, supra
note 3, at 8 (discussing security risks in Big Data, including severe
consequences of security failures that relate to enormous datasets).
66
Clare Sullivan, Digital Identity: An Emergent Legal Concept, 113–
116 (University of Adelaide Press, 2011) (Digital Identity)
(distinguishing identity theft and identity fraud).
67
Digital Identity, supra note 66, at 113–116 (commenting that “iden-
tity fraud is essentially deception as to any database identity
information including transaction identity information”).
68
Big Data and Differential Pricing, Executive Office of the Presi-
dent, United States, 2 (Feb. 2015) (exploring whether companies will
use information they harvest through Big Data to more effec-
tively charge different prices to different consumers, a practice
economists call price discrimination, which this report terms “dif-
ferential pricing”; discussing why differential pricing and Big Data
raise concerns that some consumers can be made worse off yet
have little knowledge about why this is the case).
69
Big Data and Differential Pricing, supra note 68, at 4.
70
See Schermer, supra note 19, at 48 (discussing potential errors
that can occur when data analytics are used to profile people, in-
cluding problems of “false positives” and “false negatives”; in data
analytics, people that in fact do not fit a classification may erro-
neously be included in the classification (a false positive), and people
that in fact fit the classification may be left out (false negative),
with potential consequences for the persons so misclassified). FTC
Report, Big Data, supra note 11.
 computer law & security review 32 (2016) 696–714
The discovery and use of erroneous data to include in con-
sumer profiles is particularly troubling from a privacy
perspective as there is no economic justification for allowing
commercial practices involving price discrimination in this
situation.71 To illustrate this risk, consider the possibility that
discovered data may lead to profiling certain consumers as more
likely to return used goods for a refund, likely increasing the
sellers’ costs, thus justifying advertising offers for this group
that feature higher prices as compared to prices offered to other
consumers. In fact the profile may be built on discovered data
that actually reflects consumers’ race, national origin, sex, age,
disability, etc., rather than revealing that these purchasers have
a higher likelihood of returning used goods for a refund as com-
pared to other purchasers.72
Although each of the above privacy concerns is impor-
tant, this article primarily focuses on resolving the first issue
outlined above, which we reframe as a question: “What data
protection rights should consumers have with respect to com-
panies that use data analytics to discover data about consumers
that is not directly retrievable at the time of collection and the
subsequent use of the data for consumer profiling?” In an-
swering this question, we recognize the limitations of notice
and consent mechanisms to protect consumer privacy, agree-
ing with those that argue the underlying goal of notice and
consent is to ensure consumers’ have control over collection
and use of their personal data, a goal that will be more real-
istically achieved in the era of Big Data by restating it to require
focused collection and respect for context.73 The protection of
privacy is more important than ever in Big Data where in-
creasing amounts of information are collected and “discovered”
about individuals, fueling consumer profiling by businesses.74
We think that there is a renewed need to consider how to best
achieve long-standing core fair information privacy prin-
ciples in Big Data that will ensure consumers’ information
privacy rights related to personal data discovered through data
analytics and its use for consumer profiling. To the extent that
the other privacy concerns described above cannot be ad-
dressed through application of fair information practice
principles, perhaps because they involve broader notions of per-
sonal privacy that do not involve personal data, they are beyond
the practical scope of this article, and will need further analysis.
71
Big Data and Differential Pricing, supra note 68, at 2 (Feb. 2015).
72
Schermer, supra note 19, at 47 (discussing the risks of discrimi-
nation that are part and parcel of data mining and profiling,
concluding that even when there is no prior desire to judge people
on the basis of characteristics such as ethnicity, gender, religion
or sexual preference, there is the risk of inadvertently discrimi-
nating against particular groups or individuals because “predictive
data mining algorithms may ‘learn’ to discriminate on the basis
of biased data used to train the algorithm”); White House Report
on Big Data, supra note 1, at 51–53.
73
Berlin Group Working Paper on Big Data and Privacy, supra note
3, at 1 (referencing scholarship that calls for decreasing
reliance on notice and consent in favor of regulating data use in
Big Data).
74
Berlin Group Working Paper on Big Data and Privacy, supra note
3, at 1–2.
703
4. Reconsidering the scope of information
privacy laws
Should discovered data, which are the “fruits” of data analyt-
ics, be included in the definition of personal data?75 This
question is important because traditionally consumer privacy
protections turn on the definition of personal data, so if dis-
covered data is not personal data, it would typically fall outside
the scope of laws requiring companies to apply fair informa-
tion practice principles.
Given that a primary aim of this article is to offer recom-
mendations for consumer privacy legislation in the U.S., a logical
starting point to decide whether discovered data is personal
data is President Obama’s 2014 policy paper, “Big Data: Seizing
Opportunities, Preserving Values” (White House Report on Big
Data).76 Although the White House Report on Big Data does not
expressly define personal data, it refers to an earlier policy paper
issued by the White House in 2012 that defined personal data.
In this 2012 policy paper, the Obama administration an-
nounced its support for the adoption of a new federal consumer
information privacy law and it articulated seven fair informa-
tion practices principles (FIPPs) to be included in the new law.77
The seven FIPPs described in this policy paper have been re-
ferred to as the Consumer Privacy Bill of Rights (2012 CPBR),
and it defines personal data as:
Any data, including aggregations of data, which is link-
able to a specific individual. Personal data may include data
that is linked to a specific computer or other device. For
example, an identifier on a smartphone or family com-
puter that is used to build a usage profile is personal data.78
In the context of this paper, discovered data is surely in-
cluded in the broad term “any data.” So to the extent that
discovered data is also linked or linkable to a specific indi-
vidual or linked to a specific device (whether or not included
in a consumer profile), it clearly falls within the 2012 CPBR’s
definition of personal data.
75
Big Data and Privacy: A Technological Perspective, supra note
11, at 45 (emphasis added) (concluding that for certain consumer
privacy protections to be meaningful, particularly the rights of access
and accuracy, “personal data must include the fruits of data ana-
lytics, not just collection”).
76
See generally, White House Report on Big Data, supra note 1.
77
See 2012 CPBR, supra note 15, at 9 (n.9) (referencing the devel-
opment of codes of fair information practices principles that have
evolved since 1973 when the U.S. Department of Health, Educa-
tion and Welfare issued its report, “Records, Computers, and the
Rights of Citizens,” including: Guidelines on the Protection of Privacy
and Transborder Flows of Personal Data, Organisation for Eco-
nomic Co-operation (1973); the Privacy Framework, Asia-Pacific
Economic Cooperation and Development (2005) (APEC
Privacy Framework), http://www.apec.org/Groups/Committee-on
-Trade-and-Investment/~/media/Files/Groups/ECSG/05_ecsg
_privacyframewk.ashx (last visited Feb. 2, 2016).
78
2012 CPBR, supra note 15, at 10 (n. 12) (commenting on the simi-
larity between this definition of personal data and the definition
used by the federal government).
704 computer law & security review 32 (2016) 696–714
But what if the discovered data is based on analysis of ag-
gregated data that may or may not include links between the
data and specific consumers?79 As quoted above, the 2012 CPBR’s
definition of personal data provides a helpful starting point to
answer this question because it explicitly includes aggre-
gated data in the scope of personal data, at least to the extent
that it is linkable to a specific individual or a specific com-
puter or other device. The 2012 CPBR also explicitly references
usage profiles built based on device identifiers as examples of
personal data, thus encompassing consumer profiles. On the
other hand, if the de-identification process has actually
rendered the data anonymous, and it is not possible to re-
identify it, it also seems the “fruits” of data analysis (the
discovered data) would not be personal data because those fruits
are derived from anonymous data. However, one needs to con-
sider that when data analytics are applied to an aggregated
dataset, this may make it possible to re-link the data to spe-
cific individuals or specific computers or other devices, thus
restoring its status as personal data and likely making the fruits
of data analysis on the data set also personal data.80 It is ex-
ceedingly difficult to prevent re-identification of data.81 On the
question of whether discovered data or consumer profiles that
include discovered data are personal data, we conclude that
the application of data analytics to aggregated and stored data
to predict or infer personal attributes about consumers may
well result in producing discovered data that is personal data.
This is the case because the discovered data may enrich a con-
sumer profile related to an already identified or identifiable
person or specific device. Alternatively, discovered data may
be personal data because re-identification occurs or may be
reasonably possible if data analytics are applied to the dataset,
thus producing discovered data that is linked or linkable to an
identified or identifiable person or to a uniquely identifiable
device.
To conclude that discovered data may be personal data is
consistent with definitions of personal data that have been pro-
vided in the FTC’s privacy guidelines for the online behavioral
advertising (OBA) industry, one of the key applications of dis-
79
According to the Berlin Group Working Paper on Big Data and
Privacy, “some organizations aggregate and anonymise consumer
data before it is stored, while others store data containing per-
sonal identifiers.” Berlin Group Working Paper on Big Data and
Privacy, supra note 3, at 4–5 (item 14). In this context, aggregation
“can be understood as obtaining insight regarding a group of in-
dividuals, not individual persons. Aggregation entails display of data
as sum totals. Data which may be linked to, or identify, individu-
als are not displayed. Low values are hidden by rendering them
‘unclear’, or by erasing them. One example of Aggregation is the
use of average values.” Berlin Group Working Paper on Big Data and
Privacy, supra note 3, at 4 (n. 16).
80
Berlin Group Working Paper on Big Data and Privacy, supra note
3, at 7–8 (discussing the risks of re-identification of individuals as-
sociated with data that at first appears to be anonymous).
81
See FTC Staff Report: Self-Regulatory Principles for Online Be-
havioral Advertising, Federal Trade Commission, 21–22 (2009) (FTC
Staff Report on OBA) (discussing mechanisms by which anony-
mous data may become identifying data); Tene & Polonetsky, supra
note 4, at 259 (commenting that “researchers have the ability to
re-link almost any piece of data to an individual, if provided ap-
propriate incentive to do so”).
covered data in Big Data. In this context, the FTC defines
personal data to include:
Any data collected for online behavioral advertising that rea-
sonably could be associated with a particular consumer or
with a particular computer or device, [such as] clickstream
data that, through reasonable efforts, could be combined
with the consumer’s website registration information; in-
dividual pieces of anonymous data combined into a profile
sufficiently detailed that it could become identified with a
particular person; and behavioral profiles that, while not as-
sociated with a particular consumer, are stored and used
to deliver personalized advertising and content to a par-
ticular device.82
One of the interesting aspects of the FTC’s definition of per-
sonal data in OBA is its inclusion of the words “reasonably could
be associated” with a particular consumer or particular device.
These words have the effect of limiting the scope of personal
data. The FTC explains how a reasonableness limitation is
needed to take into account the technical difficulty of actu-
ally rendering personal data anonymous such that it cannot
be re-identified.83 According to the FTC, in the absence of a rea-
sonableness limitation, almost all data is identifiable or
potentially re-identifiable and it would be infeasible to apply
an information privacy framework to all information.84
Concluding that discovered data may be personal data when
it relates to a uniquely identified consumer device like a phone
or a computer is also consistent with the broad definition of
personal information adopted by the FTC in its rules under the
Children’s Online Privacy Protection Act.85 In these rules, the
FTC defined personal information to include persistent iden-
tifiers such as IP addresses that can be used to recognize
individuals over time, and as they move from one website to
another.86
Insights from Australian federal privacy law are also helpful
to craft the scope of data protection law for discovered data.
According to recently amended Australian privacy law, per-
sonal information means:
82
The FTC has broadly defined personal data to include data as-
sociated with unique identifiers. See FTC Staff Report on OBA, supra
note 81, at 25 (commenting that making a distinction between
personally-identifying data and non-PII is losing its relevance).
83
FTC Staff Report on OBA, supra note 81, at 21–22 (discussing
mechanisms to convert anonymous data to personally-identifying
data).
84
Tene & Polonetsky, supra note 4, at 258 (commenting that “with
a vastly expanded definition of PII, the privacy framework would
become all but unworkable”).
85
Children’s Online Privacy Protection Act of 1998, 13 U.S.C. Section
1302(9) (1998).
86
Children’s Online Privacy Protection Rule: Personal Data, 16 C.F.R.
Section 312.2 (2003) (defining personal information as including “a
persistent identifier that can be used to recognize a user over time
and across different Web sites or online services.” Such persis-
tent identifier includes, but is not limited to, a customer number
held in a cookie, an Internet Protocol (IP) address, a processor or
device serial number, or unique device identifier (UID).
 computer law & security review 32 (2016) 696–714
Information or an opinion about an identified individual,
or an individual who is reasonably identifiable: (a) whether
the information or opinion is true or not; and (b) whether
the information or opinion is recorded in a material form
or not.87
Recall that the data analytics step in the Big Data value chain
statistically imputes or derives personal attributes about con-
sumers that are analogous to facts or opinions about
consumers, for example, what risk group consumers are likely
to fall in for insurance purposes (an opinion) or their age or
race (facts). The Australian definition seems broad enough to
cover facts and opinions about identified consumers that have
been discovered through data analytics and included in con-
sumer profiles. The definition is also helpful because it
encompasses both true and false information. As we have
learned, discovered data may contain some level of false in-
formation, given the known sources of error that relate to
applying data analytics to discover data about consumers that
is not directly retrievable from a dataset.88 Further, the Aus-
tralian definition of personal data expressly includes
information about a person who is reasonably identifiable and
is not limited to data about persons who have actually been
identified. However, it may not be broad enough to include in-
formation linked to a uniquely identified device, such as a
mobile phone, in the absence of the phone being linked or rea-
sonably linkable to a specific person.89 Because discovered data
and computer profiles based thereon may exist only in digital
form, the Australian definition clearly covers information that
resides in computer systems, even if it has not been re-
corded in a material form.
A conclusion that discovered data is personal data when
it relates to a unique consumer device, as well as when it is
linked or linkable to a specific individual, is consistent with
the opinions of global privacy experts. For example, one such
group of experts, The Berlin Group, defines personal data in
Big Data to mean:
87
Privacy Act of 1988, s 6(1).
88
Schermer, supra note 19, at 48 (discussing potential errors in using
data analytics to profile people).
89
See generally, Combined set of Australian Privacy Principles Guide-
lines, Office of the Australian Information Commissioner (as at 1
April 2015), https://www.oaic.gov.au/agencies-and-organisations/
app-guidelines/ (last visited Mar. 1, 2016) (APPG). These guidelines
interpret the meaning of “reasonably identifiable”. APPG, at B.85
(stating that the following considerations apply in deciding when
an individual is reasonably identifiable from particular informa-
tion: the nature and amount of the information; the circumstances
of its receipt; who will have access to the information; other in-
formation held by or available to the entity covered by the Privacy
Act; whether it is possible for the entity that holds the informa-
tion to identify the individual using available resources and the
practicability of doing so given time and cost involved; and if the
information is publicly released, whether a reasonable member of
the public with access to the information would be able to iden-
tify the individual). Through the APPG, The Australian Information
Commissioner interprets the Australia’s Privacy Act of 1988 (APA),
including Schedule 1 of the APA that lists thirteen mandatory Aus-
tralian Privacy Principles (APPs). While the APPs are binding law,
the APPGs are not considered to be binding law.
705
Any information relating to an identified or identifiable in-
dividual. IP-addresses, mobile phone numbers, RFID-tags and
UDID-numbers are all examples of unique identifiers that
are considered to be personal data. Data that reveal infor-
mation about the habits and interests of uniquely identified
individuals are sought after by companies and govern-
ments. The industry is relentlessly developing new
techniques aimed at this purpose, for instance device fin-
gerprinting. As a result, the list of unique identifiers defined
as personal data is constantly expanding.90
Based on our evaluation of the mechanics of Big Data, and
consistent with FTC guidance, The Berlin Group’s analysis and
the Australian regulatory framework, we conclude that dis-
covered data is personal data when it is information, whether
fact or opinion, and whether true or false, that relates to an
identified consumer or that reasonably could be associated with
an individual or a uniquely identified device.91 Under this defi-
nition, discovered data is personal data if it is, or reasonably
could, be associated with an IP-address, mobile phone number,
or other unique identifier, even if the discovered data has been
derived through data analytics applied to otherwise anony-
mous data. Conversely, discovered data is not personal data
when it cannot reasonably be associated with an identified or
identifiable person or unique device. When making this de-
termination, one should consider whether it is reasonably
possible for the party holding the information to identify the
individual or device using available resources and the practi-
cability of doing so, including time and cost involved. When
discovered data is not personal data, but it is later identified
or identifiable to a consumer or a unique device, as when the
dataset from which the discovered data is drawn is re-identified
rendering the discovered data identified or identifiable, then
the data will be personal data.92
In sum, consistent with the FTC’s definition of personal data
in the OBA context and the Australian regulatory approach, dis-
covered data should be within the scope of consumer privacy
laws at a particular time only when it reasonably can be
associated with an identified or identifiable person or unique
90
Berlin Group Working Paper on Big Data and Privacy, supra note
3, at 3 (item 9). Defining personal data as any information relat-
ing to an identified or identifiable individual is consistent with the
OECD’s 2013 “Guidelines Governing the Protection of Privacy and
Transborder Flows of Personal Data,” http://www.oecd.org/sti/
ieconomy/2013-oecd-privacy-guidelines.pdf (last visited Feb. 2, 2016),
and the EU Data Protection Directive, supra note 18. The EU’s Article
29 Data Protection Working Party, in its Opinion 4/2007 on the
concept of personal data, interpreted the personal data to include
data associated with unique identifiers such as those listed in The
Berlin Group’s definition, http://ec.europa.eu/justice/policies/privacy/
docs/wpdocs/2007/wp136_en.pdf (last visited Feb. 2, 2016).
91
FTC Staff Report on OBA, supra note 81, at 25 (2009); Berlin Group
Working Paper on Big Data and Privacy, supra note 3, at 3 (item 9).
92
See also, Tene & Polonestsky, supra note 4, at 259 (arguing that
de-identification should be viewed “as an important protective
measure to be taken under the data security and accountability
principles, rather than a solution to the Big Data conundrum”; a
privacy framework should “continue to partially apply to de-
identified data because researchers have the ability to re-link almost
any piece of data to an individual, if provided appropriate incen-
tive to do so”).
706 computer law & security review 32 (2016) 696–714
device. A reasonableness limitation is necessary to balance the
need to effectively protect consumer privacy while also avoid-
ing regulating Big Data in ways that would be unlikely to further
consumer privacy. Personal data must be protected in a manner
that will not significantly interfere with the likelihood of achiev-
ing the potential societal benefits of Big Data or make data
protection for discovered data unmanageable for both regu-
lators and those regulated.93 Balancing these goals may require
considering whether technology or contractual restrictions may
be effective to prevent re-identification of individuals or devices
in datasets and restrict companies from using data analytics
to discover personal data that was not directly retrievable from
an otherwise de-identified dataset.94
5. Crafting consumer privacy laws for
discovered data and profiling
Having concluded that discovered data may be personal data,
we now explore how fair information practices principles (FIPPs)
should be applied to protect consumers’ privacy in the context
of discovered data used for consumer profiling. The con-
sumer privacy protections for Big Data that are described in
this section are only applicable when discovered data is also
personal data, described hereafter as “discovered personal in-
formation” or “DPI”. This section provides a comparative law
analysis of how to protect consumers’ privacy in DPI focus-
ing on the United States and Australia. It compares FIPPs
articulated in the 2012 CPBR with principles found in re-
cently amended Australian Privacy Principles (APPs). 95
Interpretive guidance on the Australian APPs is provided by the
Australian Privacy Principles Guidelines (APPGs), which were
issued by The Australian Information Commissioner.96
5.1. Reasons to compare privacy laws in the United
States and Australia
There are good reasons why comparing the federal informa-
tion privacy frameworks in the United States and Australia is
likely to be helpful in designing FIPPs for DPI. First, both the
United States and Australia have agreed to The Privacy Frame-
work established by the Asia-Pacific Economic Cooperation and
93
Tene & Polonetsky, supra note 4, at 258.
94
According to the FTC, to rely on the anonymity of data to avoid
consumer privacy regulations, organizations should make data not
reasonably identifiable to individuals, publicly commit not to re-
identify the data, and contractually require any downstream users
of the data to keep it in de-identified form. Protecting Consumer
Privacy in an Era of Rapid Change, Recommendations for Busi-
nesses and Policymakers, Federal Trade Commission, 22 (2012). See
also, Big Data and Privacy: A Technological Perspective, supra note
11, at 38–40 (discussing technologies and strategies for privacy pro-
tection in Big Data including encryption and anonymization).
95
APA, Schedule 1; APPG, A.1-A.10. The APPs, as amended, are in
effect since March 2014.
96
See generally, APPG, supra note 89.
Development (APEC Privacy Framework).97 Through the APEC
Privacy Framework, member nations commit to a principles-
based information privacy framework that supports global
commerce. Under this framework, agreed FIPPs guide devel-
opment of member countries’ information privacy laws.98 Unlike
the United States, Australia has already adopted federal con-
sumer privacy legislation; further, its federal information privacy
laws have recently been the subject of comprehensive review
by a legislative reform commission and have subsequently been
revised.99 As such, Australia provides an up-to-date model of
federal consumer information privacy legislation that may help
guide development consumer privacy legislation in other APEC
member countries, including the United States.
Second, both countries have federal and state levels of
privacy law, leading to complex “patchworks” of privacy leg-
islation that cover different sectors of the economy and
providing both federal and state enforcement mechanisms.100
For example, in both the U.S. and Australia, the information
privacy in the credit reporting industry is governed by sepa-
rate federal rules, such that the FIPPs proposed in the 2012 CPBR
and included in the APPs only apply to commercial informa-
tion privacy practices that are not otherwise regulated under
other federal privacy rules.101 In essence, the APPs provide a
97
APEC Privacy Framework, supra note 77, at 11–28. APEC’s fair in-
formation privacy principles include: preventing harm, notice,
collection limitation, uses of personal information, choice, integ-
rity of personal information, security safeguards, access and
correction, and accountability; 2012 CPBR, supra note 15, at 32 (n.
39).
98
2012 CPBR, supra note 15, at 32 (reporting that there are cur-
rently 21 members of APEC, which include the United States and
Australia).
99
Australian Privacy Law and Practice Report 108, Australian Law
Reform Commission, Australian Government, vols. 1–3 (May 2008)
(ALRC Report 108). See also, Peter Leonard, Privacy law in Australia:
An Overview, Lexology (March 10, 2014) (commenting that The Privacy
Act 1988 was amended by the Privacy Amendment Bill 2012 in ac-
cordance with recommendations of ALRC Report 108.
100
See King & Jessen, supra note 58, at 468 (providing an overview
of the patchwork of federal laws in the U.S. that regulate infor-
mation privacy and the gaps in current regulation). In Australia,
certain sectors of the economy and institutions are exempt from
The Privacy Act of 1988 (APA) and the APPs; Leonard, supra note 99,
at 9–13. Even when the APA applies, some industries are exempt
from compliance with the APPs. See, e.g., APA, A.17–18 (the APPs do
not apply to the handling of credit-related personal information
by credit reporting participants covered by APA, Part IIIA; however,
to the extent credit reporting participants’ actions are not regu-
lated by Part IIIA, the APPs apply to fill the gaps). In Australia, the
APA and the APPs do not replace privacy statutes enacted by state
or territory governments; examples include private-sector han-
dling of sensitive personal health information collected in the State
of Victoria and state regulation of workplace surveillance and sur-
veillance in public places, etc. Leonard, supra note 99, at 7–8.
101
2012 CPBR, supra note 15, at 6 (stating that adopting legisla-
tion consistent with the 2012 CPBR would fill ”the gaps in the
existing framework,” extending baseline privacy protections to the
sectors that existing federal statutes do not cover, but would not
modify existing federal statutes that apply to specific sectors (e.g.,
healthcare, education, communications and financial services, or
in the case of online data collection, children under the age of 13),
unless the existing federal statutes set inconsistent standards for
related technologies).
 computer law & security review 32 (2016) 696–714
model for “patching” a larger quilt of federal and state infor-
mation privacy legislation in Australia, just as the FIPPs included
in the 2012 CPBR, if enacted into law, will patch a very large
hole in the quilt of federal and state information privacy leg-
islation in the United States.102 In this way, the information
privacy regulatory frameworks of Australia and the United States
differ from comprehensive information privacy frameworks that
follow the model of the European Union’s Data Protection Di-
rective that mandates compliance with fair information
practices principles that are generally applicable to all sectors
of the economy.103
5.2. Privacy principles recognized in the United States
and Australia
The 2012 CPBR articulates seven FIPPs to guide the develop-
ment of federal legislation to protect consumer privacy in
commercial contexts that are similar to statements of fair in-
formation practice principles that the U.S. government has
previously endorsed or implemented.104 The seven guiding FIPPs
included in the 2012 CPBR are: individual control, transpar-
ency, respect for context, security, access and accuracy, focused
collection and accountability.105 The 2012 CPBR makes it clear
that the purpose of adopting legislation guided by these FIPPs
is to protect information privacy in consumer to business con-
texts and that the FIPPs are not designed for application in
consumer to government contexts.106 Given the 2012 CPBR’s
focus on the private-sector, its statement of FIPPs is a good start-
ing point to analyze how private-sector businesses in the Big
Data value chain should handle DPI in commercial settings,
and in particular, how FIPPS should be applied to DPI by private-
sector businesses for commercial purposes including consumer
102
2012 CPBR, supra note 15, at 6 (commenting that gaps in the ex-
isting U.S. privacy framework result in most of the personal data
used on the Internet not being subject to comprehensive federal
statutory protection, a gap the 2012 CPBR is intended to fill).
103
See generally, EU Data Protection Directive, supra note 18; King
& Jessen, supra note 58, at 463–464.
104
The 2012 CPBR summarizes the development of codes of fair
information practices principles that have evolved since the U.S.
Department of Health, Education and Welfare issued its report in
1973, “Records, Computers, and the Rights of Citizens”; develop-
ments include: the Organisation for Economic Co-Operation and
Development’s “Guidelines on the Protection of Privacy and
Transborder Flows of Personal Data” (OECD Privacy Guidelines); APEC
Privacy Framework, supra note 77; and the EU Data Protection Di-
rective, supra note 18. Appendix B of the 2012 CPBR includes a chart
comparing the CPBR to other statements of FIPPs, including the
OECD Privacy Guidelines, the Department of Health and Wel-
fare’s Privacy Policy, and the APEC Principles. 2012 CPBR, supra note
15, at 49–52.
105
2012 CPBR, supra note 15, Appendix A, at 47–48.
106
2012 CPBR, supra note 15, at 5 (n.1) (providing that this frame-
work is concerned solely with how private-sector entities handle
personal data in commercial settings; commenting that a sepa-
rate set of constitutional and statutory protections apply to the
government’s access to data that is in the possession of private
parties and the Federal government’s handling of personally-
identifiable information is covered by the Privacy Act of 1974, Pub.
L. No. 93–579 (5 U.S.C. section 552a)). The scope of this article is iden-
tical to the scope of the 2012 CPBR, supra note 15, and the Discussion
Draft, supra note 16.
707
profiling. While the Australian Privacy Principles provide FIPPs
for both governmental and private-sector entities, the FIPPs
differ depending on whether the entity regulated is an orga-
nization (generally a private sector business) or an agency (a
governmental body).107 As described below, Australia’s infor-
mation privacy framework for private-sector organizations as
articulated in the APPs provides very rich insight for the design
of a similar framework for the U.S. and application of the APPs
addresses many privacy concerns about how private-sector busi-
nesses in the Big Data value chain should handle DPI.
From the Australian perspective, the thirteen FIPPs recog-
nized in the APPs are organized according to the five stages
of the personal information lifecycle: 1) adoption of a policy
and other organizational considerations of managing per-
sonal information privacy; 2) collection of personal information;
3) dealing with personal information; 4) integrity of personal
information; and 5) access to and correction of personal
information.108 In contrast, the seven FIPPS articulated in the
2012 CPBR describe overall privacy objectives, such as ensur-
ing consumers have individual control over their personal
information in relation to commercial entities. Thus, each FIPP
described in the 2012 CPBR typically relates to many or even
all of the stages of the personal information lifecycle and mul-
tiple APPs may be involved in accomplishing even one of the
FIPPs in the 2012 CPBR. While both the 2012 CPBR and APPs
can be seen as different but similar visions for protecting con-
sumers’ information privacy, the APPs provide a much more
detailed vision because they are in fact legislation that imple-
ments many of the aims or themes in the 2012 CPBR.
5.3. Finding FIPPs for discovered personal information
How should the FIPPs included in the 2012 CPBR apply to dis-
covered personal information (DPI) and consumer profiling?
What lessons can be learned from comparing how the APPS
would apply to DPI and consumer profiling that will help design
U.S. consumer privacy legislation to ensure consumer privacy
in this context? We begin this discussion by looking at three
key FIPPs articulated in the 2012 CPBR.
5.3.1. Control, focused collection, and respect for context
According to the 2012 CPBR, consumers have a right to exer-
cise control over what personal data that companies collect
from them and how they use it.109 This principle requires com-
panies to give consumers appropriate control over what data
they share with others and how companies collect, use, or dis-
107
See the definitions of APP entity, agency and organization in the
APA.
108
The APPs are listed in a separate schedule that is included in
the APA. APA, Schedule 1. Schedule 1 lists the thirteen APPs in the
order of the personal information life cycle, assigning the APPs to
one of the five parts of the personal information life cycle: Part 1,
Consideration of personal information privacy (APPs 1 and 2); Part
2, Collection of personal information (APPs 3, 4 and 5); Part 3, Dealing
with personal information (APPs 6, 7 and 8); Part 4, Integrity of per-
sonal information (APPS 10 and 11); and Part 5, Access to, and
correction of, personal information (APPs 12 and 13). APPG, A.7, at
3. Definitions for terms used in the APPs are listed in the main body
of the APA to which Schedule 1 is appended.
109
2012 CPBR, supra note 15, at 11.
708 computer law & security review 32 (2016) 696–714
close personal data, including clear and simple choices to make
meaningful decisions about personal data collection, use and
disclosure and offering means to withdraw or limit consent.110
Two other FIPPs in the 2012 CPBR limit companies’ collection
of consumer data: the focused collection principle and the
respect for context principle. The focused collection principle
entitles consumers to reasonable limits on the personal data
that companies collect and retain about them.111 This prin-
ciple is related to the respect for context principle, which gives
consumers the right to expect that companies will collect, use
and disclose personal data in ways that are consistent with
the context in which consumers provide the data.112 Respect
for context requires companies to limit their use and disclo-
sure of personal data to those purposes that are consistent with
both the relationship they have with consumers and the context
in which consumers originally disclosed the data, unless re-
quired to do otherwise.113 All three principles are intrinsically
related: the right to consumer control empowers consumers
to restrict companies’ use and disclosure of their personal data
that exceeds what is permitted by the principles of focused
collection and respect for context. Companies are obligated to
limit their collection of consumers’ personal data to per-
sonal data that is needed to accomplish purposes specified by
the company under the request for context principle. These
principles also obligate companies to provide heightened mea-
sures of consumer choice (and transparency) if they decide to
use or disclose personal data for purposes that are inconsis-
tent with the context in which consumers initially disclosed
the data.114 In the context of Big Data, these three principles
would not allow companies in the Big Data Industry to collect
all possible personal data and decide later whether to analyze
it further to discover DPI. However, broadly stated principles
leave far too many ambiguities to ensure consumer control or
effectively limit personal data collection.
In contrast, a look at the APPs reveals straightforward rules
that give consumers the right to exercise control over what data
companies collect from them and how it may be used, and also
illustrate how to ensure companies respect the context in which
consumers have disclosed their data. First, the APPs give con-
sumers control by limiting companies’ collection of personal
data to information that is reasonably necessary for one or more
of a company’s functions or activities (requiring both focused
collection and respect for context). Interpretive guidelines from
the Australian Information Commissioner state that reason-
able necessity should be determined by an objective test that
considers three factors: the primary purpose of the collec-
tion, how the information will be used for this function or
activity at the time of collection (generally not permitting col-
lection for a function or activity that could become necessary
in the future), and whether the function or activity could be
110
2012 CPBR, supra note 15, at 11.
111
2012 CPBR, supra note 15, at 21.
112
2012 CPBR, supra note 15, at 21 (commenting companies should
collect only personal data needed to accomplish purposes speci-
fied under the respect for context principle and should securely
dispose of or delete personal data once it is no longer needed, unless
legally obliged to do otherwise).
113
2012 CPBR, supra note 15, at 15.
114
2012 CPBR, supra note 15, at 15.
undertaken without the information or with less information.115
Second, personal data must typically be obtained directly from
the individual, made by lawful and fair means, and if sensi-
tive information, with consent, thus placing consumers firmly
in control of whether companies may collect their sensitive
information.116 Third, the APPs also limit companies’ collec-
tion or receipt of “unsolicited” information (information received
by a company that it did not expressly solicit), generally re-
quiring de-identification or destruction of data that could not
have solicited and collected directly from the individual.117
Fourth, additional consumer control is afforded by requir-
ing companies to allow individuals not to identify themselves
(to be anonymous or to use pseudonyms) if it is not neces-
sary for the company to identify the individual on a particular
matter.118 Fifth, respect for context is ensured by prohibiting
companies from using or disclosing information for second-
ary purposes, except where there is consent or the individual
would reasonably expect such use or disclosure of the infor-
mation for a secondary purpose.119 Sixth, use or disclosure of
personal information held by a company for direct market-
ing (which is often a secondary purpose) is specifically limited
to information collected from the individual that the indi-
vidual would reasonably expect to be used for marketing and
requires companies to offer consumers an opt-out method that
enables them to request not to receive direct marketing com-
munications. This procedure puts consumers in control of
whether their personal information is used for direct market-
ing purposes and mandates focused collection and respect for
context.120
What should the principles of individual control, focused
collection and respect for context entail in the context of dis-
covered data that is personal data and consumer profiling? Keep
in mind that Big Data largely involves reuse of data. Data reuse
may conflict with the privacy principle that data collected for
one purpose may not be reused for a second purpose that is
not compatible with the original purpose of collection (purpose
limitation principle).121 It is this general purpose limitation prin-
ciple that is most similar to the focused collection and respect
for context principles in the 2012 CPBR. From the Australian
perspective, APPs 3 and 4 address the purpose limitation prin-
ciple by prohibiting companies from collecting solicited or
unsolicited personal information unless it is reasonably
necessary for one or more of the entity’s functions. These APPs
115
APP 3; APPG 3.19.
116
APP 3. Sensitive information is defined by statute. APA, s.6. There
is a provision allowing organizations to collect information for or
on behalf of a related corporate body, such as a parent or subsid-
iary corporation; however, the reasonably necessary criteria still
applies, limiting collection, use and disclosure to the primary pur-
pose(s) at the time of collection. APPG 3.21.
117
APP 4; APPG ch3, at 3 (stating that an entity solicits personal
information if it explicitly requests another entity to provide per-
sonal information or it takes active steps to collect it).
118
APP 2.
119
APP 6 (use or disclosures of sensitive personal information for
a secondary purpose are further restricted).
120
APP 7. Further, cross-border disclosure, including providing access
to personal data, is restricted. APP 8.
121
Berlin Group Working Paper on Big Data and Privacy, supra note
3, at 6.
 computer law & security review 32 (2016) 696–714
further strengthen individual control by requiring most per-
sonal data about an individual to be collected directly from the
individual.122
As The Berlin Group concluded, “the purpose limitation
means that “enterprises which use collected personal data as
a basis for predictive analysis must ensure that the analysis is
compatible with the original purpose for collecting the data.”123
It is not that consumer data cannot ever be used for second-
ary purposes; rather, consumer control should be ensured and
uses for secondary purposes should be prohibited in the absence
of consumer consent. Generally compliance with the purpose
principle would require companies to give consumers mean-
ingful choices about whether to permit their data to be used
for secondary purposes and restrict companies’ use of per-
sonal data for secondary sources absent satisfying that
requirement. In some privacy regulatory frameworks, opt-out
mechanisms are likely to satisfy the requirement of giving con-
sumers a choice. It is recognized that few consumers are likely
to opt-out; nevertheless, consumers should have a choice. In
sum, to the extent that data analytics are being applied to con-
sumer data for a secondary purpose, which is generally the case
with DPI and consumer profiling in Big Data, individual control
should be respected. When data analytics are applied to dis-
cover consumer data for secondary purposes, consumers should
be able to choose whether to allow companies to apply data
analytics to produce personal data about them that cannot be
directly retrieved from a database at the time of collection,
whether to allow DPI to be used to profile them,124 and whether
to allow DPI to be shared or sold to other companies (disclosure).
5.3.2. Transparency
According to the 2012 CPBR, consumers have a right to easily
understandable and accessible information about a compa-
ny’s privacy and security practices. 125 The principle of
transparency requires companies to give consumers clear de-
scriptions of what personal data they collect, why they need
the data, how they will use it, when they will delete the data
or de-identify it, and whether and for what purposes they may
share personal data with third parties.126
In the context of Big Data and discovered data, issues of
transparency deserve particular attention. When a consumer
profile is constructed from direct data in a large-scale data base
that contains data from a wide variety of sources, as is typi-
cally the case in the Big Data industry, the resulting consumer
profiles may already be quite detailed. However, if data ana-
lytics is applied to large-scale databases to discover new
information, it may be possible to statistically infer addi-
tional personal information, including sensitive data about race,
sex, income level, interest in certain types of products or ser-
122
APP 3.6; APP 4.
123
Berlin Group Working Paper on Big Data and Privacy, supra note
3, at 6 (commenting that the purpose limitation means that “en-
terprises which use collected personal data as a basis for predictive
analysis must ensure that the analysis is compatible with the origi-
nal purpose for collecting the data”).
124
APPG B.137 (defining use of personal information broadly to
include accessing and reading, searching records for, and making
a decision based on).
125
2012 CPBR, supra note 15, at 14.
126
2012 CPBR, supra note 15, at 14.
709
vices, etc.127 If such DPI are added to consumers’ profiles, the
result is more highly-detailed profiles and perhaps more sen-
sitive profiles. A consumer would not be likely to be aware that
personal data has been discovered about him through the
process of data analytics by stakeholders in the Big Data context.
He would also be unlikely to know that the use of DPI for com-
mercial purposes may have significant impact on the
consumer’s life. Further, the DPI may in fact be erroneous,
meaning that it does not reflect true attributes of a con-
sumer being profiled. This also could result in possible adverse
consequences for the consumer as well as other parties that
rely on the profile.
The 2012 CPBR discusses the Big Data context and data
brokers and advises that companies (first-parties) that collect
personal data from consumers and provide that personal data
to data brokers and other third-party companies should: dis-
close the purposes for which they provide consumers’ data to
third parties; help consumers understand the nature of third
parties’ activities; and help consumers understand whether
third-parties are limited to achieving the purposes for which
consumers’ data has been provided to third parties.128 Accord-
ing to the 2012 CPBR, companies that do not interact directly
with consumers, such as data brokers, should also be covered
by the transparency principle and should be required to provide
explicit explanations of how they acquire, use and disclose per-
sonal data.129 The transparency principle as envisioned by the
2012 CPBR largely focuses on notice to consumers. This notice
is to be achieved through companies’ privacy policies, includ-
ing third-party privacy policies.
Looking at transparency from the Australian perspective,
APP 1 requires companies to manage personal information in
an open and transparent way, including having a clearly ex-
pressed, up-to-date privacy policy that is compliant with the
APPs.130 APP 1 applies to all entities covered by the legisla-
tion, whether or not they interface with consumers or collect
personal data from consumers. APP 5 requires notice to the
individual that a company has collected personal data about
the individual – it specifies ten required elements of this notice
that include: purpose of collection, main consequences to the
individual of such collection, other entities to which the
company usually discloses this type of information, and, if dis-
closure is to an overseas entity, which countries the recipients
are likely to be located in.131
Transparency is a principle found in both the 2012 CPBR and
the APPs, although the Australian version is much more spe-
cific in terms of what this principle means in terms of required
disclosures. While the 2012 CPBR’s version of transparency is
127
See Kshetri, supra note 23, at 1137–1138.
128
2012 CPBR, supra note 15, at 14.
129
2012 CPBR, supra note 15, at 14.
130
APP 1.
131
APP 5; APP 8 (addresses cross-border disclosure of personal in-
formation, requiring companies that disclose personal information
to an overseas recipient to take such steps as are reasonable in the
circumstances to ensure that the overseas recipient does not breach
APPs 2–13 in relation to the information). There is no corollary FIPP
in the 2012 CPBR that restricts cross-border disclosure of per-
sonal information.
710 computer law & security review 32 (2016) 696–714
helpful because it discusses the context of Big Data and spe-
cifically the role of data brokers and other companies that are
not consumer-facing, it does not go far enough. APP 5 is worded
broadly to require informing consumers about the purposes
of data collection, main consequences to the individual of that
collection, and identifying other entities to which the company
usually discloses this type of information. In this way, it better
addresses the principle of transparency in Big Data. It is not
likely to be enough to actually apprise consumers about the
privacy risks associated with having their personal data pro-
cessed in Big Data. To fulfil the transparency principle in the
context of Big Data, specifically to inform consumers about the
possibility of DPI being produced about them and that it may
be used in consumer profiling with possible adverse conse-
quences for consumers, requires meaningful disclosure.
Consumers should be provided clear and easily accessible in-
formation about the privacy practices of companies that collect
their data as well as companies that analyze their data and
use the fruits of data analytics. This information should explain
both data analytics and consumer profiling. Specifically, con-
sumers should be informed about the possibility that DPI about
them that cannot be directly retrieved from a database at the
time of collection may be produced through application of data
analytics, and if so, how that personal data will be used or dis-
closed for consumer profiling. In addition to fulfilling the
principle of transparency, consumers need this information to
exercise their individual rights of control over personal data,
as discussed in the previous section.
5.3.3. Access and accuracy
According to the 2012 CPBR, consumers are entitled to access
and correct their personal data. This access is to be provided
in usable formats, and in a manner that is appropriate to the
sensitivity of the data and the risk of adverse consequences
to consumers if the data is inaccurate. Specifically, this prin-
ciple requires companies to: use reasonable measures to ensure
they maintain accurate personal data; provide reasonable access
to consumers to data that companies collect or maintain about
consumers; and provide appropriate means and opportunity
to correct inaccurate data or request its deletion or limit its
use.
In the Australian consumer privacy framework, three sepa-
rate APPs address the principles of access and correction. First,
APP 10 addresses the quality of personal information and re-
quires companies to take steps that are reasonable in the
circumstances to ensure personal information collected is ac-
curate, up-to-date and complete.132 Personal information that
companies use or disclose to others must be, with regard to
its purpose, accurate, up-to-date, complete and relevant.133
Second, APP 11 requires companies to give consumers access
to their personal information upon request, within a reason-
able time, and must provide the data in the manner requested
by the consumer, as long as it is reasonable and practicable
to do so.134 Third, APP 13 covers correction of personal infor-
mation and it requires companies that hold personal
information to take steps that are reasonable in the circum-
132
APP 10.
133
APP 10.
134
APP 11.
stances to correct personal information. The organization must
correct personal information that is inaccurate, out-of-date, in-
complete, irrelevant or misleading, and it must do so either
upon the consumer’s request or on its own determination.135
There is a long list of exceptions in APP 11 that appear to
be efforts to achieve a good balance between protecting con-
sumers’ privacy and protecting other legitimate interests of
companies that would otherwise be required to provide access.
The exceptions are also designed to protect other persons who
could be harmed if the consumer is given access to certain
pieces of personal data.136 From an information privacy per-
spective, there is a need to carefully consider exceptions that
would allow companies to refuse consumers’ access to DPI
based on arguments of overriding business interests or pos-
sible harm to other persons. In the vast majority of cases, in
order to promote transparency and individual control, it will
be important to ensure that individuals have reasonable access
to personal data discovered about them and to require com-
panies to produce sufficient information about the use of
discovered data for consumer profiling to enable consumers
to understand the consequences of being profiled and to be
able to challenge erroneous or discriminatory profiling.
Having considered the Australian and U.S. policy perspec-
tives, when considering access and accuracy for DPI and
consumer profiling, consumers should have the right to learn
whether companies hold DPI about them, what that DPI is, and
how DPI is used, including whether it is used for consumer pro-
filing purposes or disclosed to other companies. Companies
should be required to honor consumers’ rights of access and
accuracy even when they are not consumer-facing. For example,
data brokers should be required to provide access and accu-
racy for DPI. In this regard, the Australian privacy system
provides an example of legislation that regulates both
consumer-facing as well as non-consumer facing companies,
expressly regulating access, accuracy and correction by com-
panies that hold personal information without limiting the
application of these FIPPs to companies that have been in-
volved in collecting personal information directly from
consumers.
In sum, practical mechanisms, such as web portals, need
to be designed to facilitate consumer access to data and cor-
rection of data held by data brokers and other companies that
do not otherwise deal directly with consumers.137 These tools
135
APP 13.
136
These exceptions allow a company to deny access to a con-
sumer’s personal data when: the company reasonably believes that
giving access would pose a serious threat to life, health or safety
including public health or safety; giving access would have an un-
reasonable impact on the privacy of another individual; the request
for access is frivolous or vexatious; the information requested relates
to existing or anticipated legal proceedings; giving access would
reveal the intentions of the company that is in negotiations with
the individual such as to prejudice negotiations; situations involv-
ing unlawful conduct or serious misconduct; or giving access would
reveal evaluative information generated within the entity in con-
nection with a commercially sensitive decision-making process.
APP 11.
137
Comments of World Privacy Forum to the NTIA, U.S. Depart-
ment of Commerce Regarding the Privacy RTFC 2014, p. 6 (2014),
https://www.ntia.doc.gov/files/ntia/wpf.pdf.
 computer law & security review 32 (2016) 696–714
should make it easy for consumers to make requests for access
and corrections. In the context of Big Data, it should be rec-
ognized that discovered data may be erroneous because
data analytics may produce both “false-positives” and
“false-negatives”.138 When this is the case and erroneous data
is used for consumer profiling, consumers may be harmed. So
consumers should have a way to access DPI and have errors
corrected. When discovered data is inaccurate, not up-to-
date, and not relevant or misleading, consumers should have
the right to have DPI rectified, completed, amended or deleted.
Heightened personal data protection should be designed to
prevent the misuse of sensitive DPI, including its use for con-
sumer profiling purposes, in order to prevent significant privacy
harms for consumers.
5.3.4. Security
According to the 2012 CPBR, consumers have a right to secure
and responsible handling of their personal data.139 This prin-
ciple requires companies to assess the privacy and security risks
associated with their personal data practices. It also requires
companies to implement reasonable safeguards to control risks
such as loss, unauthorized access, use, destruction, or modi-
fication and to control improper disclosure.140 In Australia, APP
11 requires companies that hold personal data to take rea-
sonable steps to protect the security of personal data. APP 11
also mandates deletion or de-identification of personal infor-
mation when it is held by a company and is no longer needed
for any purpose that it may lawfully be used or disclosed by
the company. When this is the case, the company must take
steps that are reasonable in the circumstances to destroy the
personal information or ensure it is de-identified. As in the case
of APPs covering access and accuracy, APP 11 applies to enti-
ties that hold consumers’ personal information, not just to
companies that collect information from consumers, making
it applicable to non-consumer facing companies like data
brokers.
In the context of this paper, consumers should have the right
to secure and responsible handling of their personal data and
DPI in order to prevent unauthorized access, use or modifica-
tion and to control improper disclosure. The process of using
data analytics to discover personal data should be recog-
nized as access, use, modification or disclosure of personal data.
Non-consumer facing and consumer facing companies that hold
or use personal data and DPI, including those that have access
to personal data held by other companies, should be obli-
gated to take reasonable steps in the circumstances to protect
consumers’ privacy and security. Companies that hold DPI
should be required to destroy or de-identify the data when they
no longer need it for any purpose that it could lawfully be used
or disclosed consistent with the applicable FIPPs. Companies
that disclose aggregated data that has been de-identified to
remove personal data should be required to use available tech-
nologies that reasonably prevent re-identification of the data
and impose contractual restrictions on organizations that
receive de-identified data that restrict them from re-identifying
the data.
138
Schermer, supra note 19, at 48.
139
2012 CPBR, supra note 15, at 19.
140
2012 CPBR, supra note 15, at 19.
711
5.3.5. Accountability
This principle gives consumers the right to have personal data
handled by companies with appropriate measures in place to
assure they adhere to FIPPs described in the 2012 CPBR.141 It
contemplates holding companies legally accountable to con-
sumers for adhering to the FIPPs described in the 2012 CPBR.142
The 2012 CPBR envisions a role for the Federal Trade Commis-
sion and State Attorney Generals to enforce the FIPPs, including
compliance with codes of conduct developed by companies and
other stakeholders. It requires companies to hold their em-
ployees responsible for adhering to the FIPPs. It also envisions
directing companies that disclose personal data to third parties
to ensure that the recipients are under enforceable contrac-
tual obligations to adhere to the FIPPs, unless required by law
to do otherwise. Likewise, the Australian Privacy Act ensures
accountability by requiring companies to comply with the APPs
and giving consumers the right to file complaints against com-
panies that have breached the APPs with the Australian
Information Commissioner.143 The Australian Information Com-
missioner has the power to investigate complaints, conciliate
resolutions of complaints and make administrative determi-
nations that include compensation to consumers for loss or
damage.144
Among the criticisms of enforcement mechanisms found
in the Australian consumer privacy framework is that it does
not give consumers a private right of action to bring privacy
claims directly in a court, although a recent review by the Aus-
tralian Law Reform Commission recommends rectifying this
through enactment of new privacy tort legislation. This new
legislation would give consumers the right to file lawsuits for
invasion of privacy including information privacy claims.145 As
the enforcement mechanisms adopted in federal consumer
privacy legislation in the United States are likely to differ sub-
stantially from those enacted in Australia, further comparison
will not be made. Adequate enforcement mechanisms need to
be put in place to protect consumers’ information privacy and
to hold companies legally accountable for complying with the
FIPPs recommended earlier in this section, recognizing that the
FIPPs apply to DPI and consumer profiling. Enforcement should
include holding non-consumer-facing companies in the Big Data
value chain, such as data brokers, accountable for compli-
ance with FIPPs.
6. Adequacy of proposed U.S. consumer
privacy legislation
In February 2015, the Office of the President of the United States
submitted a draft of comprehensive federal consumer privacy
141
2012 CPBR, supra note 15, at 21.
142
2012 CPBR, supra note 15, at 29–30.
143
APA s.6A-6B; Part V, s. 52(iii).
144
APA Part V, s. 52(iii).
145
See Serious Invasions of Privacy in the Digital Era, Australian Law
Reform Commission, Australian Government Report 123, 59–89 (JUNE
2014). Another weakness in enforcement under the Australian
privacy framework is its exemption of small business operators from
compliance with the APPs, with small business operators defined
as companies that have less than $3 million (Australian dollars)
in annual turnover from the previous year. APA, s.6C, 6D.
712 computer law & security review 32 (2016) 696–714
legislation to Congress. This draft was labeled “Administra-
tion Discussion Draft” (Discussion Draft), making it clear that
it had not yet been introduced into Congress as proposed
legislation.146 The Discussion Draft generated criticism from
many perspectives, including privacy advocates and industry.147
Some commentators believe that the discussion draft will never
become law due to the politics involved; others criticize it for
various reasons including that it does not go far enough to
protect consumers’ privacy.148
In the context of this paper, the Discussion Draft is signifi-
cant because it follows an in-depth study of Big Data and
provides an example of legislation drafted with the goal of pro-
tecting consumers’ information privacy in the era of Big Data.149
Further, the Discussion Draft is a legislative proposal offered
by an Administration that recognizes the relationship between
ensuring fair information practices for the processing of per-
sonal data and promoting trust by data subjects about how their
data will be collected, processed and used.150 As stated in a
recent Executive Order issued by President Obama to estab-
lish a Federal Privacy Council that aims to improve government
information privacy practices: “the proper functioning of gov-
ernment requires the public’s trust, and to maintain that trust
the Government must strive to uphold the highest standards
for collecting, maintaining, and using personal data.”151 In com-
merce as well as in government, protecting consumers’
information privacy is also necessary to promote consumers’
trust in how the Big Data industry will acquire and use their
personal data.152
How well does the recently proposed Discussion Draft
“measure up” in terms of protecting consumers’ privacy in dis-
covered data and consumer profiling? Put another way, if
enacted by Congress, would federal legislation implementing
the Discussion Draft require businesses to follow fair infor-
mation practices to protect consumer privacy in the context
of discovered data and profiling?
146
Administration Discussion Draft of the Consumer Privacy Bill
of Rights Act (Feb. 28, 2015) (Discussion Draft), http://www
.whitehouse.gov/sites/default/files/omb/legislative/letters/cpbr-
act-of-2015-discussion-draft.pdf (last visited Feb. 2, 2016); J. Trevor
Hughes and Omer Tene, “President Obama Embraces the Privacy
Profession,” Privacy Perspectives (Feb. 11, 2016).
147
See, e.g., Angelique Carson, Is a U.S. Consumer Privacy Law Finally
on the Way?, The Privacy Advisor (Mar. 10, 2015) (commenting on
criticism regarding the Discussion Draft).
148
See Omer Tene, Taming the Beast: The White House and the FCC
Throw Down the Gauntlet, IAPP Privacy Perspectives (Mar. 2, 2015).
See also, letter dated March 3, 2015 from privacy advocacy groups
criticizing the Discussion Draft, http://www.consumerwatchdog.org/
resources/ltrobamagroups030315.pdf (last visited Feb. 2, 2016).
149
See generally, White House Report on Big Data, supra note 1.
150
Executive Order, Establishment of the Federal Privacy Council,
Office of the President, United States, at 2 (Feb. 9, 2016) (2016 Ex-
ecutive Order) (stating “Privacy has been at the heart of our
democracy from its inception, and we need it now more than ever”),
https://www.whitehouse.gov/the-press-office/2016/02/09/executive-
order-establishment-federal-privacy-council.
151
Executive Order, supra note 150, at 2.
152
Eric B. Larson, Building Trust In the Power of “Big Data” Research
to Serve the Public Good, 309(23) J. Am. Med. Ass’n. 2443 (June 19, 2013),
http://jama.jamanetwork.com/article.aspx?articleid=1697974.
6.1. Strengths of the Discussion Draft
The most significant strength of the Discussion Draft is that
it envisions federal legislation that would require companies
to establish principles-based consumer privacy protection for
consumers’ personal data that would be broadly applicable to
private-sector businesses. In other words, it would set minimum
standards of information privacy to protect consumers’ data.
If federal legislation consistent with the Discussion Draft is
adopted, it will be the first truly comprehensive federal con-
sumer privacy regulation in the United States that aims to
protect the privacy of consumers’ personal data in consumer
to business contexts. In contrast, existing federal consumer
privacy legislation has more limited scope, often applying only
to specific industries. For example, federal legislation protect-
ing patient privacy in their personal health data only covers
the personal health information practices of health care pro-
viders. This law does not regulate online tracking and profiling
by companies for OBA, even if collecting online tracking and
other data and applying data analytics to that data may allow
companies to infer that a computer user has a particular
medical condition.153
The fair information privacy principles mandated in the Dis-
cussion Draft are substantially the same as those outlined in
the 2012 CPBR: transparency; individual control; respect for
context; focused collection and responsible use; security; access
and accuracy; and accountability.154 The difference is that the
Discussion Draft translates those FIPPs into draft language for
a proposed bill that could be introduced into Congress. In doing
so, the Discussion Draft provides a roadmap for consumer
privacy legislation that will require companies to protect con-
sumers’ personal data by following principles-based fair
information practices. Long overdue in the United States, the
adoption of comprehensive federal consumer privacy legisla-
tion would significantly advance consumer privacy and promote
consumer trust in global commerce and Big Data. Adopting
comprehensive federal consumer privacy legislation would also
demonstrate commitment by the United States to its obliga-
tions under international agreements, such as APEC.155 Apart
from Turkey, the United States is the only developed nation that
does not have comprehensive consumer privacy legislation re-
quiring companies to apply fair information practices in their
handling of consumers’ personal data.156
Another key strength of the Discussion Draft is that its defi-
nition of personal data is broad enough to encompass DPI. The
Discussion Draft’s definition of personal data includes “any data
that are under the control of a covered entity, not otherwise
153
See generally, Health Insurance Portability and Accountability Act
of 1996,Pub. L. No. 104–191, 110 Stat. 1936 (codified, as amended,
in 42 U.S.C. x 1936 and other sections of the U.S. Code); King and
Jessen, supra note 58, at 470-71, 476.
154
Discussion Draft, Sections 101–107; 2012 CPBR.
155
See discussion of APEC privacy principles, supra note 97 and ac-
companying text (describing APEC and the privacy principles that
APEC members, including the United States, have agreed to uphold
through their national laws).
156
Analysis of the Consumer Privacy Bill of Rights, Center for Democ-
racy & Technology, 1 (Mar. 2, 2015), at https://cdt.org/insight/
analysis-of-the-consumer-privacy-bill-of-rights-act/ (last visited Feb.
16, 2016).
 computer law & security review 32 (2016) 696–714
generally available to the public through lawful means, and are
linked or as a practical matter linkable . . . to a specific indi-
vidual, or linked to a device that is associated or routinely used
by an individual.”157 More specifically, the Discussion Draft’s
definition of personal data includes any data that are “col-
lected, created, processed, used, disclosed, stored, or otherwise
maintained and linked, or as a practical matter linkable” by
the covered entity, to any of the types of identifiers listed in
the non-exhaustive list included in the definition.158 Inclu-
sion of the word “created” in this definition seems to encompass
DPI that have been derived or imputed using data analytics.
The Discussion Draft also captures DPI in its definition of per-
sonal data, to the extent it is linked or linkable to a specific
individual or to a unique persistent identifier for a device, such
as a mobile phone or computer that is used by an individual.
The Discussion Draft would extend privacy protection to DPI
that may subsequently be used for consumer profiling. For
example, when a consumer profile that includes DPI is used
to generate behavioral advertising to a consumer’s computer
tablet, the Discussion Draft would apply, even if the identity
of the consumer who owns the tablet is not known to the
advertiser.
An additional strength of the Discussion Draft is that it will
regulate the information privacy practices of non-consumer
facing businesses, such as data brokers, encompassing key
players in the Big Data value chain that produce discovered
data. This focus is apparent from the Discussion Draft’s defi-
nition of “covered entity” which is “a person that collects,
creates, processes, retains, uses, or discloses personal data in
or affecting interstate commerce.”159 Small companies that do
not use sensitive data are excluded from coverage under the
Discussion Draft, defined as companies that collect, create,
process, retain, use or disclose the personal data of fewer than
10,000 individuals and devices in a 12-month period, as long
as these companies do not knowingly collect, use, retain or dis-
close specific types of listed personal data that typically are
considered sensitive (including medical history, national origin,
sexual orientation or gender identity, income or precise
geolocation data, etc.).160 The Discussion Draft’s exclusion of
companies that collect or process relatively small amounts of
non-sensitive personal data would not be likely to exclude most
of the stakeholders in the Big Data value chain due to the vast
amounts of personal data they process and the intent to regu-
late any company that processes sensitive personal data. Due
to the volume of personal data processed, it is likely that the
Discussion Draft would regulate data brokers and other com-
panies that conduct data analytics to produce DPI for consumer
profiles. Further, companies engaged in consumer profiling
using profiles enhanced with DPI, such as search engine pro-
viders, social networks and online advertising networks, are
likely to be covered by the Discussion Draft’s regulation, de-
pending on the volume of DPI or the sensitive nature of the
DPI that is included in the consumer profiles that they use.
157
Discussion Draft, Section 4(a)(1).
158
Discussion Draft, Section 4 (a)(1)(H) (emphasis added).
159
Discussion Draft, Section 4(b)(1).
160
Discussion Draft, Section 4(b)(1)(D).
713
6.2. Weaknesses of the Discussion Draft
A primary weakness of the Discussion Draft is that it does not
ensure that consumers will have individual control over their
DPI. While the principle of individual control is addressed and
companies are required to provide individuals with “reason-
able means to control processing of personal data about them
in proportion to the privacy risk to the individual and consis-
tent with context,” this wording gives too much discretion to
companies to be effective. For example, it would give compa-
nies discretion to determine 1) when consumers will be able
to exercise control over their DPI; and 2) the means available
to consumers to exercise control over their personal data.161
Further, the Discussion Draft gives companies the responsi-
bility to assess the nature of the privacy risks to consumers
and to decide whether the mechanisms of control that the
company has provided are consistent with the context of the
company’s collection and use of the data.162
A significant weakness in the Discussion Draft is that com-
panies have no obligation to ensure individual control once they
no longer control the personal data. This is a likely scenario
in Big Data as DPI may not be revealed until after the company
that initially collected the dataset has transferred that data to
another company, such as a data analytics company.163 This
alone would not be a serious risk to consumers’ information
privacy in their DPI if the Discussion Draft created central-
ized mechanisms for consumers to exercise control of their
DPI with regard to non-consumer facing companies. For
example, some commentators have suggested that con-
sumer privacy in Big Data could be ensured by requiring non-
consumer facing companies to participate in online opt-out
registers that enable consumers to access their personal data
and to exercise control over that data.164 Instead, under the Dis-
cussion Draft, non-consumer facing companies, such as data
brokers and data analytics companies that create and hold DPI,
have the same discretion as other companies to decide for
themselves what are reasonable means for individuals to ex-
ercise control of their personal data.
Another weakness of the Discussion Draft is its reliance on
industry self-regulation without adequate oversight by privacy
regulators. Although the Discussion Draft gives the FTC regu-
latory authority, it limits the FTC’s ability to challenge self-
regulatory mechanisms that companies have adopted in order
to comply with the FIPPs outlined in the Discussion Draft.165
For example, under the Discussion Draft, companies that par-
ticipate in a multi-stakeholder processes to adopt codes of
conduct are protected from FTC enforcement by a “safe harbor”
rule166 Under the safe harbor rule, the FTC may only approve
or deny such codes of conduct within a limited timeframe.167
And, under this rule, after approval by the FTC, companies’
codes of conduct will be entitled to a legal presumption that
161
Discussion Draft, Section 102(a).
162
Discussion Draft, Section 102(a).
163
Discussion Draft, Section 102(c)(3).
164
See, e.g., Carson, supra note 147, at 12.
165
Discussion Draft, Section 201.
166
Discussion Draft, Section 301.
167
Discussion Draft, Section 301(a)(2).
714 computer law & security review 32 (2016) 696–714
they provide equivalent or greater protections for personal data
as those provided in the Discussion Draft.168
Finally, the Discussion Draft does not define sensitive per-
sonal data except in the context of whether companies that
process small volumes of personal data are exempt from regu-
lation under the Discussion Draft. Nor does the Discussion Draft
require heightened levels of individual control or other infor-
mation privacy rights regarding the processing of sensitive
personal data. In light of the very sensitive nature of DPI that
may be created and used for profiling in Big Data,169 the Dis-
cussion Draft’s failure to define sensitive data and to require
effective mechanisms for consumers to exercise individual
control are serious weaknesses.
Although the privacy weaknesses seem to outweigh the
strengths of the Discussion Draft, it is important to keep in mind
that the Discussion Draft is not a formal legislative proposal.
Should formal legislative proposals be introduced in Con-
gress that aim to create a comprehensive federal consumer
privacy law by implementing the 2012 CPBR, the proposed leg-
islation will likely differ from the Discussion Draft. It is likely
that proposed legislation being considered by Congress will be
subject to extensive amendment and compromise in the long
process of enacting federal consumer privacy legislation. Close
analysis of any proposed legislation designed to implement the
Discussion Draft will be required to see whether it will ensure
consumer privacy in Big Data, including creation and use of
DPI for profiling.
7. Conclusion
This paper examines important consumer privacy concerns that
arise in the era of Big Data and consumer profiling by com-
panies, specifically the use of data analytics to discover personal
data about consumers and the use of that data for consumer
profiling. Its main contribution is to provide a scholarly foun-
dation for analyzing how information privacy laws should be
designed to reflect appropriate fair information privacy prac-
tices with regard the production and use of discovered personal
information.
From an information privacy perspective, it is imperative
to examine the information privacy concerns related to Big
Data’s use of data analytics, particularly the activities of non-
consumer facing companies, like Data Brokers, that make
extensive use of data analytics in order to enhance the capa-
bilities of companies to engage in consumer profiling and other
data-driven decision-making processes.
This article provides a comparative law analysis that ex-
amines United States and Australian laws, including recently
168
Discussion Draft, Section 301(a)(5).
169
See generally, FTC Report, Big Data, supra note 11.
amended Australian federal privacy legislation. In so doing, it
reveals many insights about how to effectively protect con-
sumers’ privacy in Big Data. It specifically examines how fair
information practice principles found in Australian Privacy leg-
islation should apply to Big Data’s application of data analytics
to discover personal data about consumers and to the use of
this type of personal data for consumer profiling. The com-
parative law analysis in this article is broadly applicable to the
regulatory discussion about how best to regulate Big Data, a
discussion that is ongoing in many countries.
The article also examines the strengths and weaknesses of
a Discussion Draft of consumer privacy legislation that was re-
cently issued by the Office of the President of the United States.
The Discussion Draft urges Congress to pass comprehensive
federal consumer privacy legislation that is consistent with fair
information practices principles it outlines. If comprehensive
federal consumer privacy legislation along the lines of the Dis-
cussion Draft is eventually adopted in the United States, it would
demonstrate commitment to obligations of the United States
under international agreements, including APEC. Such legis-
lation would help align the federal privacy laws in the United
States with data protection laws found in other developed
nations, significantly bridging regulatory gaps that currently
exist between the law of the United States and other countries.
However, as written, adopting federal consumer privacy leg-
islation in accordance with the Discussion Draft would not
adequately protect consumers’ information privacy in Big Data.
It would not ensure that consumers’ information privacy is pro-
tected relative to Big Data’s application of data analytics to
discover personal data and subsequent use of this type of per-
sonal data for consumer profiling. A significant privacy
weakness in the Discussion Draft is its failure to ensure that
consumers have effective mechanisms to exercise individual
control over their personal data. Another weakness is that the
Discussion Draft places undue reliance on industry-adopted
codes of conduct to establish consumer privacy protections
without adequate regulatory oversight. To ensure that con-
sumers have adequate information privacy for discovered
personal information and its use for consumer profiling, pro-
posed federal consumer privacy legislation for the United States
should conform to the FIPPs outlined in the 2012 CPBR and be
examined in light of strong global legislative models like Aus-
tralia’s federal consumer privacy legislation.
Acknowledgement
This research was made possible through support and col-
laboration between the authors that was fostered by the Centre
for Commercial Law and the Bond Visiting Law Scholars
Program at Bond University, Australia.