1 / 62

The Surge of Data Analytics What transparency for what privacy?

The Surge of Data Analytics What transparency for what privacy?. Mireille Hildebrandt (ICIS, LSTS, ESL). Agenda: the inference problem What is law? What is the right to privacy? What is data protection? What is LBP? What kind of privacy is at stake?

molimo
Download Presentation

The Surge of Data Analytics What transparency for what privacy?

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The Surge of Data AnalyticsWhattransparencyforwhat privacy? Mireille Hildebrandt (ICIS, LSTS, ESL)

  2. Agenda: the inference problem What is law? What is the right to privacy? What is data protection? What is LBP? What kind of privacy is at stake? What kind of transparency is needed?

  3. What is law?

  4. Trying to define law is like trying to hammer a pudding to the wall Uwe Wesel

  5. Pactaservandasunt? Intended legal effect Consensus Consideration Breach Killing War Medical treatment Car accident Intended effect Tort and/or crime

  6. Private and Criminal law Retroactive application Lexcerta Presumption of innocence Burden of proof Role of the court Difference between legal and factual guilt Adversarial and Inquisitorial procedure Role of the court

  7. Radbruch Justice; fairness, equality Legal certainty; positivity Purposiveness; instrumentality

  8. Hart How does law relate to and differ from orders backed by threats? How does legal obligation differ from and relate to moral obligation? What are rules and to what extent is law an affair of rules?

  9. Primary rules = Regulative rules Impose duties Secondary rules = Constitutive rules Confer powers (public or private) Rules of recognition Rules of change Rules of adjudication

  10. In a constitutional democracy: Legal rules that confer powers also restrict powers: They provide functionality in a way that provides protection Double instrumentality of the law Constitutive and Limitative

  11. What is privacy?

  12. Legal framework of privacy and data protection: multi-layered International law within the Council of Europe: European Convention of Human Rights, art. 8. The Right to Privacy Supranational law within the European Union: Data Protection Directive 95/46/EC; [Framework Decision 2008/977/JHA]; ePrivacy Directive 2002/28/EC; Data Retention Directive 2006/24/EC National Constitutions, national law

  13. Article 8 ECHR Right to respect for private and family life 1. Everyone has the right to respect for his private and family life, his home and his correspondence. 2. There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.

  14. The right to be let alone The right to control the disclosure of information about oneself The freedom from unreasonable constraints on the construction of one’s identity

  15. Human right of privacy: Negative obligation for the state: a private sphere Positive obligation for the state: imposing duties on private parties

  16. What is data protection?

  17. Data protection directive [D 95/48/EC] Art. 2: 'personal data' shall mean any information relating to an identified or identifiable natural person ('data subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity

  18. d) 'controller' shall mean the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; (...); (e) 'processor' shall mean a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller;

  19. Definitions of consent art. 2/7/8 2 (h) 'the data subject's consent' shall mean any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed. 7 (a) the data subject has unambiguously given his consent 8 [sensitive data] (a) the data subject has given his explicit consent to the processing of those data, except where the laws of the Member State provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject's giving his consent

  20. Fair processing art. 6: Member States shall provide that personal data must be: processed fairly and lawfully; collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes. (…); adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed; accurate and, where necessary, kept up to date; (…) 2. It shall be for the controller to ensure that paragraph 1 is complied with.

  21. Lawful grounds art. 7: Member States shall provide that personal data may be processed only if: (a) the data subject has unambiguously given his consent; or (b) processing is necessary for the performance of a contract to which the data subject is party (…); or (c) processing is necessary for compliance with a legal obligation to which the controller is subject; or (d) processing is necessary in order to protect the vital interests of the data subject; or (e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller (…); or (f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed, except where (…).

  22. Council Framework Decision DP Police/Justice [2008/977/JHA] Scope: limited to the processing of personal data transmitted or made available between Member States. Art. 3(2) Further processing for another purpose shall be permitted in so far as: it is not incompatible with the purposes for which the data were collected; the competent authorities are authorised to process such data for such other purpose in accordance with the applicable legal provisions; and processing is necessary and proportionate to that other purpose. Art. 7 Automated individual decisions: A decision which produces an adverse legal effect for the data subject or significantly affects him and which is based solely on automated processing of data intended to evaluate certain personal aspects relating to the data subject shall be permitted only if authorised by a law which also lays down measures to safeguard the data subject’s legitimate interests.

  23. Art. 10 Logging and documentation All transmissions of personal data are to be logged or documented for the purposes of verification of the lawfulness of the data processing, self-monitoring and ensuring proper data integrity and security. Logs or documentation prepared under paragraph 1 shall be communicated on request to the competent supervisory authority for the control of data protection. (…) Art. 16 Information for the data subject MSs shall ensure that the data subject is informed regarding the collection or processing of personal data by their competent authorities, in accordance with national law. When personal data have been transmitted or made available between MSs, each MS may, in accordance with the provisions of its national law referred to in paragraph 1, ask that the other MS does not inform the data subject. In such case the latter MS shall not inform the data subject without the prior consent of the other MS.)

  24. Art. 17 (Right of Access) The Member States may adopt legislative measures restricting access to information pursuant to paragraph 1(a), where such a restriction, with due regard for the legitimate interests of the person concerned, constitutes a necessary and proportional measure: to avoid obstructing official or legal inquiries, investigations or procedures; to avoid prejudicing the prevention, detection, investigation and prosecution of criminal offences or for the execution of criminal penalties; to protect public security; to protect national security; to protect the data subject or the rights and freedoms of others.

  25. ePrivacy Directive [D 2002/58/EC] Updated by Cookie Directive Updated by Data Retention Directive Art. 1: equivalent protection of privacy and dp within the internal market + free movement of data Art. 2: about users not data subjects; about location data (geografic position of terminal equipment)

  26. Art. 5 (3) 3. Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia, about the purposes of the processing. This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service.

  27. Art. 6(3) 3. For the purpose of marketing electronic communications services or for the provision of value added services, the provider of a publicly available electronic communications service may process the data referred to in paragraph 1 to the extent and for the duration necessary for such services or marketing, if the subscriber or user to whom the data relate has given his or her prior consent. Users or subscribers shall be given the possibility to withdraw their consent for the processing of traffic data at any time.

  28. Data Retention Directive [D 2006/24/EC] Recital 4: applicability art. 15 ePrivacy Directive (restricting the rights attributed if necessary in a democratic society) Recital 8: 2004 Declaration on Combating Terrorism Recital 9: Relation art. 8 ECHR Recital 11: Demonstrated need for traffic data Art. 3: Obligation to retain traffic and location data Art. 4: Access only in specific cases in accordance with law – compliance with art. 8(2) ECHR

  29. Art. 15 (ePrivacy Directive): restrictions of a set of rights of this Directive if this is necessary, approporiate and proportionate within a democratic society for a specified set of purposes. 1a. Paragraph 1 shall not apply to data specifically required by the Data Retentions Directive retained for the purposes referred to in Article 1(1) of that Directive. 1b. Providers shall establish internal procedures for responding to requests for access to users' personal data based on national provisions adopted pursuant to paragraph 1. (…)

  30. Data protection concerns the implementation of the FIPs (fair information principles) to data processing Crucial: Distinction between personal and other data; focus on PII Ex ante purpose specification, ex post purpose limitation Default is freedom to process, on the condition that fairness and transparency are guaranteed Ambiguous role for consent

  31. What is Location Based Profiling?

  32. The term profiling refers to: The inference of profiles from Big Data, on the basis of knowledge discovery in databases, machine learning, and other techniques to generate knowledge; The application of such profiles to new data (provided or leaked by a person) in order to target that person as a consumer, customer, suspect, citizen, employee etc.

  33. Location based profiling The construction and/or application of profiles based on datasets that include location data.

  34. Types of Profiles: Generated from data of many persons: group profile Distributive Non-distributive Generated from data of one person: individual profile Individual profile applied to the individual Group profile applied to an individual whose data match the profile

  35. Apply a group profile to an individual What happens if a non-distributive profile is applied to an individual? Match but does not apply: incorrect Match and applies: correct Match irrespective of whether it applies: fair Match irrespective of whether it applies: unfair

  36. Implications for central tenets of constitutional democracy Privacy: the autonomy trap Non-discrimination: fair treatment Due process: contesting incorrect or unfair application

  37. What kind of privacy is at stake?

  38. Right to be left alone? Right to control the disclosure of information? Right to construct your identity without unreasonable constraints?

  39. Use of ML to adapt to inferred human behaviours creates the inference problem (Dwyer 2009) Invisible inferences impact the construction of personal identity

  40. If machines define a situation as real, it is real in its consequences Autonomy-trap Subliminal influences Advanced red-lining Lack of transparency Power imbalances: transaction costs

  41. ePrivacy Directive 2 (c) ‘location data’ means any data processed in an electronic communications network or by an electronic communications service, indicating the geographic position of the terminal equipment of a user of a publicly available electronic communications service; 9 (1) Where location data other than traffic data, (…), can be processed, such data may only be processed when they are made anonymous, or with the consent of the users or subscribers to the extent and for the duration necessary for the provision of a value added service. The service provider must inform the users or subscribers, prior to obtaining their consent, of the type of location data other than traffic data which will be processed, of the purposes and duration of the processing and whether the data will be transmitted to a third party for the purpose of providing the value added

  42. Art. 29 WP (WP115) Opinion November 2005 On the use of location data with a view to providing value added services

  43. The key issue for the processing of location data has thus moved on from being a question of storage (essentially: on what conditions should location data be stored by electronic communications operators?) to being a question of use (how can we ensure that data are used for supplying value-added services in accordance with the principles applicable to the processing of personal data?). WP115, p. 3

  44. Art. 29 WP (WP185) Opinion 13/2011 On Geolocation services on smart mobile devices

  45. The device [e.g. smart phone, mh] is able to transmit location data from different sources to any third party. This technical capacity should not be confused with the lawfulness of such data processing. If the default settings of an operating system would allow for the transmission of location data, a lack of intervention by its users should not be mistaken for freely given consent. wp185, p. 13

  46. It must be clear that such consent cannot be obtained freely through mandatory acceptance of general terms and conditions, nor through opt-out possibilities. The default should be that location services are ‘OFF’, and users may granularly consent to the switching ‘ON’ of specific applications. Wp185, p. 14

  47. Consent must be specific, for each of the different purposes that data are being processed for. The controller must make it very clear if his service is limited to providing an answer to the voluntary question ‘Where am I right now?’, or if his purpose is to create answers to the questions ‘Where are you, where have you been and where will you be next week?’ In other words, the controller must pay specific attention to consent for purposes a data subject does not expect, such as for example profiling and/or behavioural targeting. wp185, p. 15

  48. Data subjects also have a right to access possible profiles based on these location data. If location information is stored, users should be allowed to update, rectify or erase this information. The Working Party recommends that controllers seek secure ways to provide direct online access to location data and possible profiles. It is key that such access is provided without demanding additional personal data to ascertain the identity of the data subjects. wp185, p. 18

  49. What kind of transparency?

  50. Informed consent and informational self-determination require That one can anticipate how one is and how one will be anticipated

More Related