Responsible Insurer

Privacy and Big Data

Interview with Giovanni Buttarelli

“From 25 May 2018 European privacy regulations will become applicable to all of the information giants regardless of whether they have offices in the European Union: it will be a change of revolutionary proportions.”

59-year-old Italian magistrate Giovanni Buttarelli, Europe’s Data Protection Supervisor since 2014, tells us what we can expect from what he describes as “the Big Data revolution”. “Technology will make the exchange of information between things and other things increasingly simple: the area of application of the concept of anonymous data is set to shrink.”


You have said that Big Data represent a revolution for the concept of privacy. Are you optimistic or pessimistic about the future?

Optimistic for the innovative scope of this new use of technology that represents a genuine new industrial revolution. I agree with the approach of the report commissioned by the Obama presidency that identified a huge opportunity in the use of Big Data but also potential risks concerning the concentration of information in a few private hands and the potential dissipation of the concept of state sovereignty.


For Big Data we dont mean just the data people make available knowingly (such as age, address, eye colour, etc.) but much more information about them, for example the tracking of their transport movements, shopping habits, online behaviour etc., which goes some way beyond privacy in its traditional meaning. Big Data appears to be overtaking privacy or should we expand the concept of privacy?

The question is a pertinent one. It’s true, Big Data represents a challenge for some traditional aspects of privacy such as the definition of personal data, a definition that has now been confirmed by the new European regulation and that refers to any information relating to an individual. Technology is making it increasingly easy for information to be shared between things and other things: the area of application of the concept of anonymous data is shrinking. In a way everything will become personal data, or rather the notion of personal data will disappear to be replaced by the notion of data that will be referable to one or more individual, groups of individuals or clusters in which we are connected partners. The algorithms will be refined to adapt to this.


You have suggested the possibility of creating individual safes that interested parties will be able to control, entrusting the keys on a case by case basis to individual operators or hitting the off switch when they choose. What does this mean in practice?

Today our information is provided with our consent or passed on improperly by others to other operators; often it is difficult for us to know where the information is present and there are also risks of duplication and a lack of validation or updating of the content. The new European regulations establish “data portability” to enable that the passage of data from one operator to another will not be disadvantageous. Another solution that is being tested is that of “one box only”, in which data is present in just a single technical context under the exclusive autonomy of the interested party who can choose whether to authorize its use by specific operators for specific purposes or to interrupt the legitimization of its use (without having to suffer any adverse consequences) whenever the individual so chooses.


Big Data also represents a great opportunity, think for example of the sectors of welfare and health, but also transport. In Great Britain, for example, there is much talk about the agreement between the National Health Service (NHS) and Google Deep Mind to analyse the data from millions of patients. Whats your opinion of this?

I have just completed an article on this subject, which is one of the unanswered questions about the future of Big Data, and I would advise greater attention from the political decision-makers. Much information that is not useful today will be useful tomorrow. The highest earning companies today are those that work with information. Tomorrow power will be even more closely linked to those who manage this data and it will be even more concentrated. The initiative in the UK is certainly not the first: back in 2013 Viktor Mayer-Schönberger, in his book Big Data highlighted how, in order to identify the breeding grounds and the possible spread of avian viruses in the USA, the health authorities involved should have used an analysis of key words used on search engines. We can thank Google for this collaboration but the future cannot depend on the generosity of a private company. Today we know the juridical rules harmonized on European level that oblige public administrations to make the data of private individuals accessible to them for research purposes or other uses. I would ask what must be done to obtain the same situation from the opposite point of view.


In the past no private individual ever held such extensive control over personal data as Google and Facebook do today. However, many of us would probably be even more wary about entrusting our data to the state. Is it right to mistrust the public use of data or is it an opportunity missed?

This approach is a legacy of the past, partly born as a reaction to forms of totalitarianism. The French law passed in 1978 to safeguard IT rights and liberties was a reaction against the Safari project that aimed to establish diverse databases for use in welfare administration, in Australia there was a street revolt against the new electronic identity card. The European Convention on Human Rights establishes that all collection of data by public administrations should be considered a form of interference in private life for which it is necessary to verify its proportionality and the related opportunities. In the future the outlook could be different: the new European regulation will be applicable to all IT giants that provide goods and services to clients in the Union or that profile its inhabitants.


In Europe there seems to be a greater sensitivity to the themes of privacy compared to the situation in the United States or China. Do the systems with fewer safeguards hold a competitive advantage from an economic point of view?

Perhaps they did in the past until the nineties but not now. Now there are 121 countries in the world that have privacy legislation similar to the European version, 57 of these are well outside of the European sphere. Japan has recently applied a law inspired by the concepts familiar to us. The globalization of data flows does not permit a fragmentation of policies for the management of information. Of course, it is not easy to create the possibility of an international convention however much we at the European Supervisory body wish for such a solution. Today it is preferable to speak about interoperability and mutual recognition between different systems but it is clear that in a globalized world it is inevitable that such policies will begin to converge. Concerning privacy, the first important answer has been provided by Europe. The new regulations, which no longer considers the location in which businesses are based but rather whether European citizens are affected by their activities, has an effect that in the USA they call “extraterritoriality” but in reality that is not really the case because the concept of sovereignty today is evolving in new ways. Today Europe can develop its Digital Single Market precisely because it guarantees some safeguards. All of the analysis on ecommerce demonstrates that privacy has never been a hindrance to the digital economy, in fact, the opposite is true.