REGULATION MACHINE LEARNING IN AN AGE OF DATA€¦ · © Cloudera, Inc. All rights reserved. MACHINE LEARNING IN AN AGE OF DATA REGULATION JEFF FLETCHER [email protected]

© Cloudera, Inc. All rights reserved.

MACHINE LEARNING IN AN AGE OF DATA REGULATIONJEFF [email protected]

© Cloudera, Inc. All rights reserved. 2

AI AND MACHINE LEARNING GROWTH

3 © Cloudera, Inc. All rights reserved.



GDPR AND POPIA


GDPR

• Obligations of the organization○ Across people, process and

technology○ Impacts how personal data is

collected and used

• Substantial penalties○ Heavy fines for violations○ Up to 20M Euros or 4% of the annual global

turnover for the preceding financial year

• Applicable worldwide○ Any organization with any users in the EU

needs to be compliant. ○ Includes companies based outside the EU,

processing personal data from EU residents in connection with the offering any goods or services or monitoring user behavior.

○ Includes data processor and data controller

• Rights of the consumer○ Right to be forgotten/erasure○ Right to access information○ Right to data portability○ Right for processing to be restricted


GDPR

• 88 pages

• 99 Articles

• 173 Recitals.


POPI

“To promote the protection of personal information processed by public and private bodies;

to introduce certain conditions so as to establish minimum requirements for the processing of personal information;

to provide for the rights of persons regarding unsolicited electronic communications and automated decision making;

to regulate the flow of personal information across the borders of the Republic; and to provide for matters connected therewith.”


POPI

• 76 Pages

• 12 Chapters

• 115 Sections


GDPR VS POPI

VS


DATA PRIVACY REGULATIONS AND MACHINE LEARNING


IMPORTANT DEFINITIONS

• Automated Decision Making

• Profiling

• Legal Effects or Substantially Affects


AUTOMATED DECISION MAKING - GDPR

Article 22Automated individual decision-making, including profiling

The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.


AUTOMATED DECISION MAKING - POPI

Section 71Automated decision making

a data subject may not be subject to a decision which results in legal consequences for him, her or it, or which affects him, her or it to a substantial degree, which is based solely on the basis of the automated processing of personal information intended to provide a profile of such person including his or her performance at work, or his, her or its credit worthiness, reliability, location, health, personal preferences or conduct.


AUTOMATED DECISION MAKING - EXAMPLE

“Imposing speeding fines purely on the basis of evidence from speed cameras is an automated decision making process that does not necessarily involve profiling.It would, however, become a decision based on profiling if the driving habits of the individual were monitored over time, and, for example, the amount of fine imposed is the outcome of an assessment involving other factors, such as whether the speeding is a repeat offence or whether the driver has had other recent traffic violations.”


PROFILING - GDPR

Article 4Definitions

‘profiling’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;


PROFILING - POPI

Section 5A data subject has the right...

(g) not to be subject, under certain circumstances, to a decision which is based solely on the basis of the automated processing of his, her or its personal information intended to provide a profile of such person as provided for in terms of section 71;


PROFILING - EXAMPLE

“A data broker collects data from different public and private sources, either on behalf of its clients or for its own purposes. The data broker compiles the data to develop profiles on the individuals and places them into segments. It sells this information to companies who wish to improve the targeting of their goods and services. The data broker carries out profiling by placing a person into a certain category according to their interests.”


LEGAL EFFECTS OR SIGNIFICANTLY AFFECTS

“Hypothetically, a credit card company might reduce a customer’s card limit, based not on that customer’s own repayment history, but on non-traditional credit criteria, such as an analysis of other customers living in the same area who shop at the same stores.This could mean that someone is deprived of opportunities based on the actions of others. In a different context using these types of characteristics might have the advantage of extending credit to those without a conventional credit history, who would otherwise have been denied.”


WHERE DOES THAT LEAVE US?


THE REGULATIONS

GDPR - ARTICLE 22The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.

POPI - SECTION 71a data subject may not be subject to a decision which results in legal consequences for him, her or it, or which affects him, her or it to a substantial degree, which is based solely on the basis of the automated processing of personal information intended to provide a profile of such person


THE DANGER ZONE

AUTOMATED DECISION MAKING

PROFILING!


EXCEPTIONS

GDPR

(a) necessary for the performance of or entering into a contract;

(b) authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests; or(c) based on the data subject’s explicit consent.

POPI

(a) has been taken in connection with the conclusion or execution of a contract, and

(i) the request of the data subject in terms of the contract has been met; or

(ii) appropriate measures have been taken to protect the data subject’s legitimate interests; or

(b) is governed by a law or code of conduct in which appropriate measures are specified for protecting the legitimate interests of data subjects.


WHEN REGULATIONS ARE INVOKED


GDPR SCOPE

Articles 13-15the controller shall, at the time when personal data are obtained, provide the data subject . . . [in the case of] automated decision-making, including profiling, . . . meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

Recital 71... should be subject to suitable safeguards, which should include specific information to the data subject and the right to obtain human intervention, to express his or her point of view, to obtain an explanation of the decision reached after such assessment and to challenge the decision.


POPI SCOPE

Section 71require a responsible party to provide a data subject with sufficient information about the underlying logic of the automated processing of the information relating to him or her to enable him or her to make representations in terms of paragraph (a).



TENSORFLOW


VISUALLY EXPLAINING ALGORITHMS


CLOUDERA FAST FORWARD LABS OFFERINGSReduce uncertainty by helping develop and implement an ML strategy

RESEARCH STRATEGY + ADVISING FEASIBILITY STUDIES




INTERPRETABILITY OF LINEAR REGRESSION


INTERPRETABILITY OF MORE COMPLEX MODELS






INTERPRETABILITY TRADE-OFF


WHITE BOX MODELS


BLACK BOX MODELS


LIME

LOCAL INTERPRETABLE MODEL-AGNOSTIC EXPLANATION


WHY DOES THIS MATTER?


LIME

LOCAL INTERPRETABLE MODEL-AGNOSTIC EXPLANATION


DEMO


THE RIGHT TO BE FORGOTTEN


REGULATIONS

GDPRArticle 17The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:

POPISection 24A data subject may, in the prescribed manner, request a responsible party to—(a) correct or delete personal information about the data subject in its possession or under its control that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading or obtained unlawfully;


MODEL INVERSION ATTACK


THANK YOU


LINKS

[email protected]://www.gov.za/sites/www.gov.za/files/37067_26-11_Act4of2013ProtectionOfPersonalInfor_correct.pdfArticle 29 WPhttp://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2014/wp217_en.pdfGDPRhttps://gdpr-info.eu/Model Inversion Attackhttps://cs.cmu.edu/~mfredrik/papers/fjr2015ccs.pdf

https://www.google.com/url?q=https://www.gov.za/sites/www.gov.za/files/37067_26-11_Act4of2013ProtectionOfPersonalInfor_correct.pdf&sa=D&ust=1539859466000000&usg=AFQjCNHdVvQtAoSZ1fDh-6Tv1Jvq_QYHlQ

https://www.google.com/url?q=https://www.gov.za/sites/www.gov.za/files/37067_26-11_Act4of2013ProtectionOfPersonalInfor_correct.pdf&sa=D&ust=1539859466000000&usg=AFQjCNHdVvQtAoSZ1fDh-6Tv1Jvq_QYHlQ

https://www.google.com/url?q=http://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2014/wp217_en.pdf&sa=D&ust=1539859466001000&usg=AFQjCNH4WN5juXoZRstgc8mkw2PB6efWZA

https://www.google.com/url?q=http://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2014/wp217_en.pdf&sa=D&ust=1539859466001000&usg=AFQjCNH4WN5juXoZRstgc8mkw2PB6efWZA

https://www.google.com/url?q=https://gdpr-info.eu/&sa=D&ust=1539859466002000&usg=AFQjCNG6N7bS3xb_NTmXXFlcUsAJ1k25cQ

https://www.google.com/url?q=https://cs.cmu.edu/~mfredrik/papers/fjr2015ccs.pdf&sa=D&ust=1539859466003000&usg=AFQjCNF1uc0ueXBkVemUDw1bKRgTm0x-3Q

Documents

REGULATION MACHINE LEARNING IN AN AGE OF DATA€¦ · © Cloudera, Inc. All rights reserved. MACHINE LEARNING IN AN AGE OF DATA REGULATION JEFF FLETCHER [email protected]