July 18, 2023

Article 6(1)(f).GDPR. Opinion and market research in the age of Big Data

Articles

 

 

Author: Domingos Farinho

 

I. Overview/Introduction

Market and opinion research importance in contemporary society is evident and it can hardly be overestimated. It is an important component of almost every company’s business strategy, and it is also used by public institutions, such as regulators, along with academia. Although market and opinion research are not mentioned in the GDPR, they are closely connected to two of its key concerns: marketing purposes and scientific research purposes. However, the connection must be understood with caution.[1] Opinion and market research encompasses all kinds of studies aimed at getting knowledge about people and markets. This makes for a wide and porous notion.

On the one hand, as market and opinion research are not defined, the connection between marketing and scientific research is not formal. Materially, market and opinion research may or may not imply scientific or statistical research and it is important to have adequate criteria to establish a match, as this will lead to applying GDPR provisions concerning these kinds of research. Recital 159 offers some guidance on how to interpret the scope of scientific research purposes stating that it “should be interpreted in a broad manner including for example technological development and demonstration, fundamental research, applied research and privately funded research”.[2] The line should be drawn regarding the exclusive use or not of scientific independence and purpose. If, e.g., scientific research is subordinated to processing operations targeting individuals as clients, it should be considered as a marketing operation and not scientific research driven personal data processing.[3] Opinion studies developed according to the tenets of statistical research with no commercial use are to be subsumed under scientific research when applying the GDPR.

On the other hand, marketing and market research, though connected, often work in opposite directions regarding data processing. Direct marketing has relevance under the GDPR insomuch as it targets specific natural persons through their personal data. Personal data are used at the end of the production cycle to better allocate goods and services to clients from a commercial perspective. When dealing with opinion and market research personal data usually come at the beginning of (or prior to) the production cycle in order to later develop and improve goods and services through data that by then can be partially anonymised (→ mn. 17) or at least pseudonymised. Later, with improved or even new products further targeted direct marketing may be used thus closing the circle. It is however clear, as the GDPR stresses,[4] that both direct marketing and scientific and statistical research should adopt adequate safeguards specially to ensure the principle of data minimisation.

Big data in particular highlights the relation between marketing and market research[5] as a circuit of personal data processing and the need for pseudonymisation and other safeguards.[6] The Art. 29 WP adopts notions of Big Data and Big Data Analytics as “the exponential growth both in the availability and in the automated use of information: it refers to gigantic digital datasets held by corporations, governments and other large organisations, which are then extensively analysed (hence the name: analytics [as] the discovery and communication of meaningful patterns in data”.[7]

As the Art. 29 WP states “’Big data’ is a broad term that covers a great number of data processing operations, some of which are already well-identified, while others are still unclear and many more are expected to be developed in the near future”.[8] The CoE also adds that “there are many definitions of Big Data, which differ depending on the specific discipline. Most of them focus on the growing technological ability to collect process and extract new and predictive knowledge from great volume, velocity, and variety of data. In terms of data protection, the main issues do not only concern the volume, velocity, and variety of processed data, but also the analysis of the data using software to extract new and predictive knowledge for decision-making purposes regarding individuals and groups”.[9]

 

 

 

 

[…]

 

 

 

 

[1]See Ehmann, ‘Anhang 4 zu Art. 6’, in Simitis/Hornung/Spiecker gen. Döhmann, pp. 541-542, mn. 35.

[2]See also Ehmann, ‘Anhang 4 zu Art. 6’, in Simitis/Hornung/Spiecker gen. Döhmann, pp. 541-542, mn. 35.

[3]In this sense, Ehmann, ‘Anhang 4 zu Art. 6’, in Simitis/Hornung/Spiecker gen. Döhmann, p. 542, mn. 40.

[4]See recital 156.

[5]Regarding this aspect, see Rubinstein, ‘Big Data: The End of Privacy or a New Beginning?’, IDPL, Vol 3. No. 2, 2013, pp. 76 et seq.

[6]Oostveen, ‘Identifiability and the applicability of data protection to big data’, IDPL, Vol. 6, No 4 (2016), p. 308.

[7]Art. 29 WP 203, 35; see also EDPS, Opinion 7/2015 Meeting the challenges of big data – A call for transparency, user control, data protection by design and accountability, 19 November 2015, p. 18.

[8]Art. 29 WP 221, ‘Statement on Statement of the WP29 on the impact of the development of big data on the protection of individuals with regard to the processing of their personal data in the EU’, adopted on 16 September 2014, p. 3.

[9]Council of Europe, Guidelines on the protection of individuals regarding the processing of personal data in a world of Big Data, 23 January 2017, p. 2; see also, European Parliament, Report on fundamental rights implications of big data: privacy, data protection, non-discrimination, security and law-enforcement (2016/2225(INI)), 20.2.2017, p. 3; Oostveen, ‘Identifiability’, pp. 302 et seq.

Articles’ list