[author: Tim Banks]
The 34th International Conference of Data Protection and Privacy Commissioners was held in Uruguay on October 23 and 24, 2012. The purpose of the International Conference is to bring together data protection and privacy commissioners around the world to discuss emerging issues, share knowledge and promote international cooperation on projects.
The closed session of data protection and privacy commissioners produced the “Uruguay Declaration on Profiling” dealing with the use of Big Data, and two resolutions – one dealing with cloud computing and the other dealing with “the future of privacy”.
Uruguay Declaration on Profiling (Big Data)
In the Uruguay Declaration, the International Conference recognized “the many useful applications of big data and the advantages large data collections could bring to, among others, healthcare, energy efficiency and public safety.” However, the International Conference also outlined the risks of profiling and the potential lack of accountability regarding the quality of data. The International Conference reaffirmed the principle of purpose limitation.
In addition, International Conference set out eight that data protection and privacy commissioners should consider when dealing with profiling activities:
1. Public and private entities must be transparent about profiling, the way profiles are assembled and the purposes for which they are being used.
2. Profiling operations should have three phases: (i) identification of the need; (ii) identification of the assumptions and data that will form the basis of the profile; and (iv) how the profile is to be applied in practice. Each phase should be subject to separate decisions and regulatory oversight.
3. Profiles and the underlying algorithms must be continuously validated.
4. Profiling operations should not be fully automated. Human interventions should be required to avoid injustice to individuals subject to fully automated false positive or false negative results.
5. The creator and user of the profile should not be the same.
6. Individuals should be permitted to challenge the profile.
7. Authorities should ensure that they have sufficient enforcement power and knowledge to supervise public and private sector profiling activities.
8. Privacy enforcement authorities should have the power to test and challenge government proposals given the government’s access to large public and private databases.
Cloud Computing Resolution
The International Conference also resolved to encourage efforts and reduce risks associated with cloud computing given its potential to create economic efficiency, lower environmental impact, simplify operation and increase user-friendliness. However, the International Conference recommended in its resolution that:
• Cloud computing should not result in a lowering of data protection standards;
• Organizations should carry out privacy impact and risk assessments prior to engaging in cloud computing;
• Cloud service providers should focus on transparency, security, accountability and trust, particularly regarding information on data breaches and contractual clauses that promote data portability and data control by cloud users;
• Continuing efforts should be made to develop standards and certifications and privacy by design in cloud computing architectures;
• Legislators should assess the adequacy and interoperability of legal frameworks to facilitate cross-border transfers of data; and
• Privacy and data protection authorities should continue to engage with stakeholders.
Future of Privacy Resolution
In recognition of globalization and cross-border transfers of information, the International Conference renewed calls for international cooperation and coordination on data protection and privacy rules to bring national laws into harmony.