Database Reference
In-Depth Information
In short, even if people refuse to disclose their personal data, these characteristics
can easily be predicted with data mining tools.
19.1.2 The Failure of Anonymity
The arguments above underlining the failure of access controls are particularly
applicable to hiding two types of information: identifying information and
discrimination-sensitive information. Starting with the first, identifying
information is important in establishing whether information is anonymous or not.
Current European legislation protects and limits collecting and processing
personal data, but not the collecting and processing of anonymous data. For this
reason, data controllers may prefer to process anonymous data, which allows
profiling on an aggregate (group) level. Despite false negatives and false positives,
such profiles may be sufficiently accurate for decision-making.
9
The
characteristics may be valid for the group members even though they may not be
valid for the individual group members as such.
10
For instance, predicting that
people driving white cars cause less traffic accidents on average or predicting that
people who refrain from eating peanut butter live longer on average may be
(hypothetical) data mining results based on anonymous databases. Ascribing an
anonymous profile to a data subject (if John drives a white car, then he is likely to
be a careful driver, or if Sue regularly eats peanut butter, then she is likely to live
long), implies ascribing personal data to individuals. This process creates new
personal data. Compared to a situation in which a data subject voluntarily
provided personal data to a data controller, it is much more difficult for a data
subject to know about the existence and the contents of such ascribed personal
data. In fact, characteristics may be attributed to people that they did not know
about themselves (such as life expectancies or credit default risks). People may be
grouped with other individuals unknown to them (such as being on flight KL611
to Chicago together).
This process may seem harmless, but may be considered less harmless to the
individuals involved when information is combined and used to predict or deduce,
with slight margins of error, particular sensitive data. Furthermore, predicting or
deducing missing values and subsequently ascribing them to individuals may
cause friction with informed consent from those individuals. In Europe, in many
cases (though not always), data subjects have a right to consent to the use of their
data. When people do not know the ways in which their personal data are
processed, which characteristics are ascribed to them, and what are the
consequences of this, it is very difficult for them to object.
The mechanisms involved in anonymity are also applicable to a certain extent
to discrimination-sensitive information. Under discrimination laws, several
characteristics are considered unacceptable for decision-making. For instance,
ethnic background or gender should not be used to select job applicants. However,
everyone knows that a trivial attribute like a name can often predict the ethnicity
9
Zarsky, T. Z. (2003).
10
Vedder, A. H. (1999).
Search WWH ::
Custom Search