The 34th International Conference of Data Protection and Privacy Commissioners was held in Uruguay on October 23 and 24, 2012. The purpose of the International Conference is to bring together data protection and privacy commissioners around the world to discuss emerging issues, share knowledge and promote international cooperation on projects.
The closed session of data protection and privacy commissioners produced the "Uruguay Declaration on Profiling" dealing with the use of Big Data, and two resolutions – one dealing with cloud computing and the other dealing with "the future of privacy".
Uruguay Declaration on Profiling (Big Data)
In the Uruguay Declaration, the International Conference recognized "the many useful applications of big data and the advantages large data collections could bring to, among others, healthcare, energy efficiency and public safety." However, the International Conference also outlined the risks of profiling and the potential lack of accountability regarding the quality of data. The International Conference reaffirmed the principle of purpose limitation.
In addition, International Conference set out eight that data protection and privacy commissioners should consider when dealing with profiling activities:
Public and private entities must be transparent about profiling, the way profiles are assembled and the purposes for which they are being used. Profiling operations should have three phases: (i) identification of the need; (ii) identification of the assumptions and data that will form the basis of the profile; and (iv) how the profile is to be applied in practice. Each phase should be subject to separate decisions and regulatory oversight. Profiles and the underlying algorithms must be continuously validated. Profiling operations should not be fully automated. Human interventions should be required to avoid injustice to individuals subject to fully automated false positive or false negative results. The creator and user of the profile should not be the same. Individuals should be permitted to challenge the profile. Authorities should ensure that they have sufficient enforcement power and knowledge to supervise public and private sector profiling activities. Privacy enforcement authorities should have the power to test and challenge government proposals given the government's access to large public and private databases. Cloud Computing Resolution
The International Conference also resolved to encourage...