Murphy and Barton 2014 (†721)Murphy, Michael, and John Barton, "From a Sea of Data to Actionable Insights: Big Data and What It Means for Lawyers," Intellectual Property & Technology Law Journal 26:3 (March 2014), p.8-17.
- reidentification (p.13): Advertisers, researchers, and users of data in many other industries have long argued that aggregating or de-identifying personal data can render it anonymous and thus allow unrestricted use without compromising individual data subject privacy. Until very recently, most regulators have accepted this argument as well in granting safe harbors or similar exceptions to data privacy regulations for data that has been anonymized. In the outsourcing and cloud-computing industry, customers have followed suit in routinely granting their service providers the right to use customer data so long as the service providers aggregate it with other data and remove personally identifiable data prior to disclosing it. In recent years, computer scientists have demonstrated that anonymized data can be “reidentified” by linking anonymized records to outside information. ... In each case, researchers found that seemingly anonymous data contained unique attributes and other clues that enabled them to reidentify it with individuals. Once a person has been identified, the effect is compounded as it becomes easier to associate more and more information with that person. The ease with which researchers can reidentify anonymized data has several implications in the outsourcing and cloud-based service industry. Among them: • Regulations generally define the “personal data” that they cover broadly as information that can be used to identify a person. With reidentification, seemingly innocuous information such as search queries and Netflix reviews could arguably fall within the definition of personal data and be subject to additional regulation. • Regulators are beginning to explicitly address new types of data ( e.g., IP addresses, cookie identifiers). • Reidentification also may lead to increased liability. For example, if personal information collected by a company is disclosed by the company’s service provider and later reidentified, the company may face claims from its end users and possibly fines from regulators; the service provider may face claims from the company for failing to adequately anonymize the data. (†1645)