Big data - Italian Authorities call for more regulation
Increased transparency essential
12 March 2020
As a result of a three-year joint effort, the Italian antitrust, telecom and data protection watchdogs give voice to businesses', experts' and customers' expectations and concerns regarding the use of Big Data. Their 2020 report discusses concrete actions aimed at ensuring transparent use of personal data and preventing the risk of information services being driven by mere marketing goals.
The Italian Antitrust, Telecom and Data Protection Authorities team up to assess the need for Big Data regulation
In May 2017 the Italian antitrust (AGCM), telecom (AGCOM) and data protection (the Garante, "DPA") authorities jointly launched a survey aimed at assessing the impact of Big Data on businesses, consumers and individuals.
In discussing Big Data, the Italian Authorities had themselves to digest huge volumes of raw data, hence the involvement of Facebook, Amazon, Microsoft, IBM and other data-reliant businesses and data experts.
The results of this three-year project were presented in a 122-page document published earlier this year. The Report summarises the social, economic and ethical concerns expressed by the interviewed businesses and experts. Theses were as follows:
- Big Data is a widespread business model, whereby raw data (hereinafter "Input Data") is mined, collected, analysed in order to obtain non-obvious and valuable inferences and patterns ("Output Data") on which business decisions rely;
- Business decisions are normally taken as a result of analysing anonymised data, which is non-personal data. In other words, contrary to what the general public thinks, data-reliant businesses do not aim at identifying a data subject, but rather clustering him/her;
- However, personal data remains at the core of Big Data, in that (i) collection and storage of Input Data triggers personal data processing and (ii) bulletproof anonymisation is technically very difficult to achieve (so that it can be often said that personal data is in fact pseudonymised – and pseudonymised data is personal data);
- The business need to cluster potential customers over time and offer them products and services based on their evolving preferences clashes with the data protection duty to inform the data subject, once and for all, about the purposes in advance of the processing. As a result, the Report suggests considering dynamic consent mechanisms, such as a two-step process whereby, subsequently to the data granting his/her consent to the general purposes of the processing, the data subject receives a more detailed privacy notice and has an opportunity to provide his/her consent to the specific processing, once this has been identified. The difficulty here is to avoid the risk of the data subject receiving too much information and distractedly taking decisions on the processing of his/her personal data;
- The use of personal data goes hand in hand with newly established data subjects' rights, including (i) the right to avoid unjustified price discrimination, (ii) the right to access open data and (iii) the right to data portability (as set forth in Article 20 GDPR). However, the extent to which these rights may be enforced is still uncertain: for example, lock-in mechanisms (whereby the user is discouraged to leave one service provider for another) of the complexity of data compilations may hinder portability of data;
- Regulation of traffic data processing has some gaps, in that, on one hand, GDPR did not increase the level of protection afforded to this kind of data and, on the other hand, the e-Privacy directive (which will be replaced by the e-Privacy Regulation, still under discussion) imposes duties only on a restricted group of Internet service providers such as the social networks – i.e. the providers of a publicly available electronic communications service – and not to the so-called over-the-top (OTT) service providers, i.e. the providers of streaming media. As a result, the Report identifies cases where the user of a streaming platform – by accepting the OTT's terms and conditions – is also deemed to have accepted the privacy settings, resulting in the data of a user of OTT services being processed without the user actually knowing where his/her data is stored or for which purposes it is used.
- From an antitrust perspective, access to Big Data results in data-reliant businesses being able to enter new markets – think, for example, about the social networks' and search engines' news services – resulting in a risk of the information society losing its role as an objective gate-keeper and of an increase in fake-news.
The Report's key findings and recommendations
The Italian Authorities conclude that, while they think that Big Data can support businesses and benefit consumers – e.g. in terms of innovative, customised and cheaper products and services –, they also share the concerns identified by the interviewees, in that the concentration of Big Data in the hands of a restricted group of players can give rise to concentrations of power "considered not only as market power, but more generally as economic power and power tout court, affecting fundamental rights, competitive profiles, pluralism and the very resilience of democratic systems." The above raises competition, consumer protection, and privacy issues.
In light of the above, the Report calls for the legislator to consider a specific regulatory framework. Regulation should pursue:
- transparent use of personal data. A coordination between the European data protection authorities is of essence, considering that Big Data relies on transnational data transfers;
- reduction in the information asymmetries between consumers and digital businesses. Data processors should inform users not only that their data is being transferred, but also that data is the consideration users pay to use the provider's services;
- new means to bolster online pluralism, transparency in the selection of content and consumers' awareness on the information received online; and
- prevention of digital businesses' abusive behaviours and competition-restrictive undertakings that are in fact made possible as a result of the use of complex software and algorithms.
- a reform of merger control's regulatory framework to increase the scope of intervention of AGCM, in particular with regards to those mergers falling below the current thresholds required for prior notification, but which could prove capable of restricting important forms of potential online competition from the outset (so called "killing acquisitions");
- facilitate data portability and mobility between different platforms, through the adoption of open and interoperable standards; and
- strengthen the AGCM's and AGCOM's powers to obtain information outside investigation proceedings and increase the maximum sanctions to ensure an effective deterrent for violations of consumers protection rules.
The Report concludes by underscoring that the challenges posed by the development of the digital economy and Big Data will require the full exploitation of those instruments aimed at ensuring data protection, fair competition, and the safeguards of consumer and pluralism. This will only be achieved if the Italian Authorities are able to establish meaningful cooperation strategies. To this end, the Authorities committed themselves to define a permanent collaboration in relation to (i) interventions in this field and (ii) the study of the impact of Big Data on businesses, consumers and citizens.
Raw data: Data that has not been processed by a computer in any way. Data can either be inputted in a computer by a user or generated by a computer itself. Raw data can be personal data or non-personal data;
Personal data: Pursuant to Article 4 of the GDPR, "personal data means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;"
Open data: Data that anyone can access, use and share. Open data becomes usable when made available in a common, machine-readable format;
Data portability: Data subjects have a right to obtain and reuse their personal data for their own purposes across different services. Therefore, a data controller storing personal data must put, at the data subject's request, the data subject in a position to move, copy, transfer personal data easily to another data controller in a secure way, or to merely store data for personal use. It is one of the eight rights afforded to data users by the GDPR (see Article 20);
Lock-in: A mechanism whereby a service provider (i) makes users dependent on its services and products and/or (ii) discourages users to leave the service provider for another by introducing switching costs;
Providers of a publicly available electronic communications service: a provider of services allowing members of the public to send electronic messages. This includes telecoms providers and internet service providers;
Over-the-top (OTT) service providers: OTT service providers deliver directly to the users content such as videos, movies, TV shows or media advertisement by streaming the media through the Internet. Some of the most popular OTT providers include Netflix, Amazon Prime Video, Vimeo and Hulu.