What is Interoperability?, Network Centric Operations Industry Consortium, https://www.ncoic.org/technology/what_is_interoperability (last visited on June 24, 2013).
 Victor Mayer-Schönberger & Kenneth Cukier, Big Data: A Revolution that will Transform how we Live, Work, and Think, 21–23 (Houghton Mifflin Harcourt, 2013).
 Id. at 55.
 Id. at 8–9.
 See, e.g., Fair Credit Reporting Act, 15 U.S.C. § 1681 et seq. (2003) (governing disclosures of consumer credit data), Gramm-Leach-Bliley Act, Pub.L. 106–102 (1999) (governing financial institutions).
 45 C.F.R. 164.501 (2002).
 45 C.F.R. 164.512(c)(2)(ii) (2002).
 45 C.F.R. 106.102 (2002). See infra note 16.
 General Data Protection Regulation, European Commission, 2012/0011, Article 83(2)(a). Article 7 requires written consent to use the specific data to be disclosed, with the option to withdraw consent at any time. General Data Protection Regulation, Article 7.
 See, e.g., Id. Article 83(2)(b) (“the publication of personal data is necessary to present research findings . . . insofar as the interests or the fundamental rights or freedoms of the data subject do not override those interests”) and Article 83(1)(a) (“these purposes cannot be otherwise fulfilled”).
 Christine Porter, De-Identified Data and Third Party Data Mining: the Risk of Re-Identification of Personal Information, 5 Shidler J.L. Com. & Tech. 3, 16 (2008), available at http://digital.law.washington.edu/dspace-law/bitstream/handle/1773.1/417/vol5_no1_art3.pdf.
 Id. at 14.
 Disclosure requirements are limited to electronically stored information, up to three years before the date of the disclosure request. Health Information Technology for Economic and Clinical Health Act, Pub.L. 111–5, § 13405 (c)(1)(B) (2009).
 Commissioner Julie Brill, Reclaim Your Name, 23rd Computers Freedom and Privacy Conference Keynote address, Washington, D.C. (June 26, 2013), transcript available at http://www.ftc.gov/speeches/brill/130626computersfreedom.pdf (last visited July 8, 2013).
 Challenges and Opportunities with Big Data, Computing Research Ass’n, http://www.cra.org/ccc/files/docs/init/bigdatawhitepaper.pdf (last visited June 28, 2013).
 Various techniques (e.g. key-coding, rotating salts, encryption keys, and introduction of “noise”) are currently used to reduce the risk of re-identification. Article 29 Working Party, Opinion 03/13 on Purpose Limitation, at 31, 00569/13/EN, http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2013/wp203_en.pdf.
 This principle also informs other data subject rights such as the right of access (15), right to be forgotten (17), and right to object (19–20). General Data Protection Regulation, Article 5(e), 15, 17, 19–20.
 Id. Article 83(1)(a). While (1)(b) requires separate safekeeping of PII from other data, this too can be waived if the research purpose cannot be otherwise fulfilled.
 45 C.F.R. 164.502(d) (2008). Other laws such as the Gramm-Leach-Bliley Act explicitly state that anonymized data is not covered by the statute. 16 C.F.R. 313.3(o)(2)(ii)(B) (2008).
 Khaled El Emam et al., A Systematic Review of Re-identification Attacks on Health Databases, PLoS ONE 6(12) (2011), http://www.plosone.org/article/info%3Adoi%2F10.1371%2Fjournal.pone.0028071 (finding that the re-identification rates were dominated by smaller studies that had not followed proper de-identification methods).
 Cf. Challenges and Opportunities with Big Data, supra note 16.
 After AOL accidentally released their search records in 2006, a group of N.Y. Times reporters could re-identify an individual, Thelma Arnold, by her past searches. Porter, supra note 12, at 9.
 Id. at 12.
 Article 29 Working Party, supra note 17, at 32.
 Fed. Trade Comm’n, Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers (Mar. 2012), at 21.
 See, e.g., Data Protection Officer Conference 2013, http://www.ico.org.uk/conference2013; IAPP Global Privacy Summit 2013, https://www.privacyassociation.org/events_and_programs/global_privacy_summit_2013.
 General Data Protection Regulation, Article 24.
 Article 29 Working Party, Explanatory Document on the Processor Binding Corporate Rules, at 4, 00658/13/EN, available at http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2013/wp204_en.pdf.
 Fed. Trade Comm’n, supra note 26, at 21.
 HIPAA Privacy Rule and its Impacts on Research, Nat’l Institutes of Health, http://privacyruleandresearch.nih.gov/pr_08.asp (last visited July 11, 2013) (describing how non-covered entities can still access PII in a limited data set with a data use agreement).
 Among the biggest data security breaches are those in third party or group databases, such as the Epsilon data breach. See Taylor Armerding, The 15 Worst Data Breaches of the 21st Century, CSO (Feb. 15, 2012), http://www.csoonline.com/article/700263/the-15-worst-data-security-breaches-of-the-21st-century.
 Article 29 Working Party, Opinion 05/2012 on Cloud Computing, at 21, 01037/12/EN, available at http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2012/wp196_en.pdf.
 Article 29 Working Party, Explanatory Document on the Processor Binding Corporate Rules, at 13.
 General Data Protection Regulation, Article 42–43.