the surge of data analytics what transparency for what privacy?
DESCRIPTION
The Surge of Data Analytics What transparency for what privacy?. Mireille Hildebrandt (ICIS, LSTS, ESL). Agenda: the inference problem What is law? What is the right to privacy? What is data protection? What is LBP? What kind of privacy is at stake? - PowerPoint PPT PresentationTRANSCRIPT
The Surge of Data Analytics
What transparency for what privacy?
Mireille Hildebrandt (ICIS, LSTS, ESL)
Agenda: the inference problem
1. What is law?2. What is the right to privacy?3. What is data protection?
4. What is LBP?5. What kind of privacy is at stake?6. What kind of transparency is
needed?
Privacy Course Leuven 28th June 2011
2
What is law?
Privacy Course Leuven 28th June 2011
3
Trying to define law is like trying to hammer a pudding to the wall
Uwe Wesel
Privacy Course Leuven 28th June 2011
4
• Pacta servanda sunt?• Intended legal effect• Consensus• Consideration• Breach
• Killing• War• Medical treatment• Car accident• Intended effect• Tort and/or crime
Privacy Course Leuven 28th June 2011
5
Private and Criminal law
• Retroactive application• Lex certa• Presumption of innocence
• Burden of proof• Role of the court• Difference between legal and factual guilt
• Adversarial and Inquisitorial procedure
• Role of the court
Privacy Course Leuven 28th June 2011
6
Radbruch1. Justice; fairness, equality2. Legal certainty; positivity 3. Purposiveness; instrumentality
Privacy Course Leuven 28th June 2011
7
Hart1. How does law relate to and differ
from orders backed by threats?2. How does legal obligation differ from
and relate to moral obligation?3. What are rules and to what extent is
law an affair of rules?
Privacy Course Leuven 28th June 2011
8
1. Primary rules = Regulative rules• Impose duties
2. Secondary rules = Constitutive rules
• Confer powers (public or private)• Rules of recognition• Rules of change• Rules of adjudication
Privacy Course Leuven 28th June 2011
9
In a constitutional democracy:
• Legal rules that confer powers also restrict powers:
• They provide functionality in a way that provides protection
• Double instrumentality of the law• Constitutive and Limitative
Privacy Course Leuven 28th June 2011
10
What is privacy?
Privacy Course Leuven 28th June 2011
11
Legal framework of privacy and data protection: multi-layered
• International law within the Council of Europe: European Convention of Human Rights, art. 8. The Right to Privacy
• Supranational law within the European Union: Data Protection Directive 95/46/EC; [Framework Decision 2008/977/JHA]; ePrivacy Directive 2002/28/EC; Data Retention Directive 2006/24/EC
• National Constitutions, national lawPrivacy Course Leuven 28th June 2011
12
Article 8 ECHR Right to respect for private and
family life
1. Everyone has the right to respect for his private and family life, his home and his correspondence.
2. There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.
Privacy Course Leuven 28th June 2011
13
• The right to be let alone
• The right to control the disclosure of information about oneself
• The freedom from unreasonable constraints on the construction of one’s identity
Privacy Course Leuven 28th June 2011
14
Human right of privacy:
• Negative obligation for the state: a private sphere
• Positive obligation for the state: imposing duties on private parties
Privacy Course Leuven 28th June 2011
15
What is data protection?
Privacy Course Leuven 28th June 2011
16
Data protection directive[D 95/48/EC]
Art. 2: (a) 'personal data' shall mean any information relating
to an identified or identifiable natural person ('data subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity
Privacy Course Leuven 28th June 2011
17
d) 'controller' shall mean the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; (...);
(e) 'processor' shall mean a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller;
Privacy Course Leuven 28th June 2011
18
Definitions of consent art. 2/7/8
2 (h) 'the data subject's consent' shall mean any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed.
7 (a) the data subject has unambiguously given his consent
8 [sensitive data] (a) the data subject has given his explicit consent to the processing of those data, except where the laws of the Member State provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject's giving his consent
Privacy Course Leuven 28th June 2011
19
Fair processing art. 6:1. Member States shall provide that personal data
must be: (a)processed fairly and lawfully;(b)collected for specified, explicit and legitimate
purposes and not further processed in a way incompatible with those purposes. (…);
(c) adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed;
(d)accurate and, where necessary, kept up to date; (…)
2. It shall be for the controller to ensure that paragraph 1 is complied with.
Privacy Course Leuven 28th June 2011
20
Lawful grounds art. 7:Member States shall provide that personal data may
be processed only if: (a) the data subject has unambiguously given his
consent; or(b) processing is necessary for the performance of a
contract to which the data subject is party (…); or(c) processing is necessary for compliance with a legal
obligation to which the controller is subject; or(d) processing is necessary in order to protect the vital
interests of the data subject; or(e) processing is necessary for the performance of a
task carried out in the public interest or in the exercise of official authority vested in the controller (…); or
(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed, except where (…).
Privacy Course Leuven 28th June 2011
21
Council Framework Decision DP Police/Justice
[2008/977/JHA]
• Scope: limited to the processing of personal data transmitted or made available between Member States.
Art. 3(2) Further processing for another purpose shall be permitted in so far as:
(a) it is not incompatible with the purposes for which the data were collected;
(b) the competent authorities are authorised to process such data for such other purpose in accordance with the applicable legal provisions; and
(c) processing is necessary and proportionate to that other purpose.
Art. 7 Automated individual decisions: A decision which produces an adverse legal effect for the data subject or significantly affects him and which is based solely on automated processing of data intended to evaluate certain personal aspects relating to the data subject shall be permitted only if authorised by a law which also lays down measures to safeguard the data subject’s legitimate interests.
Privacy Course Leuven 28th June 2011
22
• Art. 10 Logging and documentation 1. All transmissions of personal data are to be logged or
documented for the purposes of verification of the lawfulness of the data processing, self-monitoring and ensuring proper data integrity and security.
2. Logs or documentation prepared under paragraph 1 shall be communicated on request to the competent supervisory authority for the control of data protection. (…)
• Art. 16 Information for the data subject 1. MSs shall ensure that the data subject is informed regarding
the collection or processing of personal data by their competent authorities, in accordance with national law.
2. When personal data have been transmitted or made available between MSs, each MS may, in accordance with the provisions of its national law referred to in paragraph 1, ask that the other MS does not inform the data subject. In such case the latter MS shall not inform the data subject without the prior consent of the other MS.)
Privacy Course Leuven 28th June 2011
23
Art. 17 (Right of Access)
2. The Member States may adopt legislative measures restricting access to information pursuant to paragraph 1(a), where such a restriction, with due regard for the legitimate interests of the person concerned, constitutes a necessary and proportional measure: a) to avoid obstructing official or legal inquiries, investigations
or procedures; b) to avoid prejudicing the prevention, detection, investigation
and prosecution of criminal offences or for the execution of criminal penalties;
c) to protect public security; d) to protect national security; e) to protect the data subject or the rights and freedoms of
others.
Privacy Course Leuven 28th June 2011
24
ePrivacy Directive[D 2002/58/EC]
• Updated by Cookie Directive• Updated by Data Retention Directive
• Art. 1: equivalent protection of privacy and dp within the internal market + free movement of data
• Art. 2: about users not data subjects; about location data (geografic position of terminal equipment)
Privacy Course Leuven 28th June 2011
25
Art. 5 (3)
3. Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia, about the purposes of the processing. This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service.
Privacy Course Leuven 28th June 2011
26
Art. 6(3)
3. For the purpose of marketing electronic communications services or for the provision of value added services, the provider of a publicly available electronic communications service may process the data referred to in paragraph 1 to the extent and for the duration necessary for such services or marketing, if the subscriber or user to whom the data relate has given his or her prior consent. Users or subscribers shall be given the possibility to withdraw their consent for the processing of traffic data at any time.
Privacy Course Leuven 28th June 2011
27
Data Retention Directive[D 2006/24/EC]
• Recital 4: applicability art. 15 ePrivacy Directive (restricting the rights attributed if necessary in a democratic society)
• Recital 8: 2004 Declaration on Combating Terrorism
• Recital 9: Relation art. 8 ECHR• Recital 11: Demonstrated need for traffic data
• Art. 3: Obligation to retain traffic and location data
• Art. 4: Access only in specific cases in accordance with law – compliance with art. 8(2) ECHR
Privacy Course Leuven 28th June 2011
28
Art. 15 (ePrivacy Directive): restrictions of a set of rights of this Directive if this is necessary, approporiate and proportionate within a democratic society for a specified set of purposes.
1a. Paragraph 1 shall not apply to data specifically required by the Data Retentions Directive retained for the purposes referred to in Article 1(1) of that Directive.
1b. Providers shall establish internal procedures for responding to requests for access to users' personal data based on national provisions adopted pursuant to paragraph 1. (…)
Privacy Course Leuven 28th June 2011
29
• Data protection concerns the implementation of the FIPs (fair information principles) to data processing
• Crucial: • Distinction between personal and other
data; focus on PII• Ex ante purpose specification, ex post
purpose limitation• Default is freedom to process, on the
condition that fairness and transparency are guaranteed
• Ambiguous role for consent
Privacy Course Leuven 28th June 2011
30
What is Location Based Profiling?
Privacy Course Leuven 28th June 2011
31
The term profiling refers to:
• The inference of profiles from Big Data, on the basis of knowledge discovery in databases, machine learning, and other techniques to generate knowledge;
• The application of such profiles to new data (provided or leaked by a person) in order to target that person as a consumer, customer, suspect, citizen, employee etc.
Privacy Course Leuven 28th June 2011
32
Location based profiling
The construction and/or application of profiles based on datasets that include location data.
Privacy Course Leuven 28th June 2011
33
Types of Profiles:
1. Generated from data of many persons: group profile
a. Distributiveb. Non-distributive
2. Generated from data of one person: individual profile
3. Individual profile applied to the individual
4. Group profile applied to an individual whose data match the profile
Privacy Course Leuven 28th June 2011
34
Apply a group profile to an individual
• What happens if a non-distributive profile is applied to an individual?• Match but does not apply: incorrect• Match and applies: correct• Match irrespective of whether it applies:
fair• Match irrespective of whether it applies:
unfair
Privacy Course Leuven 28th June 2011
35
Implications for central tenets of constitutional democracy
• Privacy: the autonomy trap• Non-discrimination: fair treatment• Due process: contesting incorrect or unfair
application
Privacy Course Leuven 28th June 2011
36
What kind of privacy is at stake?
Privacy Course Leuven 28th June 2011
37
• Right to be left alone?
• Right to control the disclosure of information?
• Right to construct your identity without unreasonable constraints?
Privacy Course Leuven 28th June 2011
38
Use of ML to adapt to inferred human behaviours creates the inference problem
(Dwyer 2009)
• Invisible inferences impact the construction of personal identity
Privacy Course Leuven 28th June 2011
39
If machines define a situation as real, it is real in its consequences
• Autonomy-trap• Subliminal influences• Advanced red-lining• Lack of transparency• Power imbalances: transaction costs
Privacy Course Leuven 28th June 2011
40
ePrivacy Directive
• 2 (c) ‘location data’ means any data processed in an electronic communications network or by an electronic communications service, indicating the geographic position of the terminal equipment of a user of a publicly available electronic communications service;
• 9 (1) Where location data other than traffic data, (…), can be processed, such data may only be processed when they are made anonymous, or with the consent of the users or subscribers to the extent and for the duration necessary for the provision of a value added service. The service provider must inform the users or subscribers, prior to obtaining their consent, of the type of location data other than traffic data which will be processed, of the purposes and duration of the processing and whether the data will be transmitted to a third party for the purpose of providing the value addedPrivacy Course Leuven
28th June 201141
Art. 29 WP (WP115)Opinion November 2005
On the use of location data with a view to providing value added services
Privacy Course Leuven 28th June 2011
42
The key issue for the processing of location data has thus moved on from being a question of
storage (essentially: on what conditions should location data be stored by electronic
communications operators?) to being a question of use (how can we ensure that data are used for supplying value-added services
in accordance with the principles applicable to the processing of personal data?).
WP115, p. 3
Privacy Course Leuven 28th June 2011
43
Art. 29 WP (WP185)Opinion 13/2011
On Geolocation services on smart mobile devices
Privacy Course Leuven 28th June 2011
44
The device [e.g. smart phone, mh] is able to transmit location data from different sources
to any third party. This technical capacity should not be confused with the lawfulness of such data processing. If the default settings of
an operating system would allow for the transmission of location data, a lack of intervention by its users should not be
mistaken for freely given consent.
wp185, p. 13
Privacy Course Leuven 28th June 2011
45
It must be clear that such consent cannot be obtained freely through mandatory
acceptance of general terms and conditions, nor through opt-out possibilities. The default
should be that location services are ‘OFF’, and users may granularly consent to the switching
‘ON’ of specific applications.
Wp185, p. 14
Privacy Course Leuven 28th June 2011
46
Consent must be specific, for each of the different purposes that data are being
processed for. The controller must make it very clear if his service is limited to providing an answer to the voluntary question ‘Where
am I right now?’, or if his purpose is to create answers to the questions ‘Where are you,
where have you been and where will you be next week?’
In other words, the controller must pay specific attention to consent for purposes a data
subject does not expect, such as for example profiling and/or behavioural
targeting.
wp185, p. 15Privacy Course Leuven 28th June 2011
47
Data subjects also have a right to access possible profiles based on these location data. If location information is stored, users should
be allowed to update, rectify or erase this information.
The Working Party recommends that controllers seek secure ways to provide direct online
access to location data and possible profiles. It is key that such access is provided without
demanding additional personal data to ascertain the identity of the data subjects.
wp185, p. 18Privacy Course Leuven 28th June 2011
48
What kind of transparency?
Privacy Course Leuven 28th June 2011
49
Informed consent and informational self-determination
require
• That one can anticipate how one is and how one will be anticipated
Privacy Course Leuven 28th June 2011
50
The inference problem:Double Contingency
What I do depends on what you do which depends on what I do, which depends on what you do, which …
What I do depends on what I think you may do depending on what I do, which however depends on what you think I may do depending on what you may
do, which…
Privacy Course Leuven 28th June 2011
51
Parsons (1951: 14-15) distinguishes:
. . . between objects which interact with the acting subject and those objects which do not. These interacting objects are themselves actors or egos. . . . They will be referred to as social objects or alters. A potential food-object . . . is not an alter, because it does not respond to ego’s expectations and because it has no expectations of ego’s action; another person, a mother or a friend, would be an alter to ego.
Privacy Course Leuven 28th June 2011
52
Luhmann (1995: 131-2) thinks in terms of the interaction of autonomous systems:
Beginning is easy. Strangers begin by reciprocally signalling each other indications of the most important behavioral foundations: the definition of the situation, social status, intentions. This initiates a system history that includes as well as reconstructs the problem of contingency. As a result, the system increasingly is occupied with arguments about a self-created reality: with handling facts and expectations that the system itself has helped to create.
Privacy Course Leuven 28th June 2011
53
Thomas Merton referring to the Thomas-Theorem:
If men define a situation as real, it is real in its
consequences
Privacy Course Leuven 28th June 2011
54
Now we have:
If machines define a situation as real it is real in its
consequences
Privacy Course Leuven 28th June 2011
55
We need tools to help us in guessing and negotiating how we are being defined.
We need to move from using technologies to interacting with them.
Autonomy assumes that we sustain and resolve double anticipation
We thus need transparency of profiles, not merely the chance to hide our data
Without this transparency we fall in the autonomy-trap and privacy is an illusion
Privacy Course Leuven 28th June 2011
56
Art. 12 D 95/46 ECArticle 12: Right of access
Member States shall guarantee every data subject the right to obtain from the controller:
(1) without constraint at reasonable intervals and without excessive delay or expense:
(c) - knowledge of the logic involved in any automatic processing of data concerning him at least in the case of the automated decisions referred to in Article 15(1);
Privacy Course Leuven 28th June 2011
57
Art. 15 (1) D 95/46 EC[under Section VII: The Data Subject’s Right to Object]
Article 15: Automated individual decisions
1. Member States shall grant the right to every person not to be subject to a decision which produces legal effects concerning him or significantly affects him and which is based solely on automated processing of data intended to evaluate certain personal aspects relating to him, such as his performance at work, creditworthiness, reliability, conduct, etc.
Privacy Course Leuven 28th June 2011
58
2. Subject to the other Articles of this Directive, Member States shall provide that a person may be subjected to a decision of the kind referred to in paragraph 1 if that decision:
(a) is taken in the course of the entering into or performance of a contract, provided the request for the entering into or the performance of the contract, lodged by the data subject, has been satisfied or that there are suitable measures to safeguard his legitimate interests, such as arrangements allowing him to put his point of view, or
(b) is authorized by a law which also lays down measures to safeguard the data subject's legitimate interests.
Privacy Course Leuven 28th June 2011
59
Need for: Transparency Enhancing Tools
(TETs):
• What profiles do I match?• On the basis of which parameters?• What is their relative weight?• Which are the real-life consequences?
• Information obligation for data controllers?
• Counterprofiling ML technologies?• Human Machine Interfacing!Privacy Course Leuven 28th June 2011
60
An example of a legal TET: art. 34 Data Protection Act 2009 Germany
(2) Im Fall des § 28b hat die für die Entscheidung verantwortliche Stelle dem Betroffenen auf Verlangen Auskunft zu erteilen über
1 die innerhalb der letzten sechs Monate vor dem Zugang des Auskunftsverlangens erhobenen oder erstmalig gespeicherten Wahrscheinlichkeitswerte,2. die zur Berechnung der Wahrscheinlichkeitswerte genutzten Datenarten und3. das Zustandekommen und die Bedeutung der Wahrscheinlichkeitswerte einzelfallbezogen und nachvollziehbar in allgemein verständlicher Form.
Satz 1 gilt entsprechend, wenn die für die Entscheidung verantwortliche Stelle1. die zur Berechnung der Wahrscheinlichkeitswerte genutzten Daten ohne Personenbezug speichert, den Personenbezug aber bei der Berechnung herstellt oder2. bei einer anderen Stelle gespeicherte Daten nutzt.
Privacy Course Leuven 28th June 2011
61
Thank you for your attention!
Any questions?
Privacy Course Leuven 28th June 2011
62