The Surge of Data Analytics What transparency for what privacy? Mireille Hildebrandt (ICIS, LSTS, ESL)

The Surge of Data Analytics

What transparency for what privacy?

Mireille Hildebrandt (ICIS, LSTS, ESL)

Agenda: the inference problem

1. What is law?2. What is the right to privacy?3. What is data protection?

4. What is LBP?5. What kind of privacy is at stake?6. What kind of transparency is

needed?

Privacy Course Leuven 28th June 2011

2

What is law?


3

Trying to define law is like trying to hammer a pudding to the wall

Uwe Wesel


4

• Pacta servanda sunt?• Intended legal effect• Consensus• Consideration• Breach

• Killing• War• Medical treatment• Car accident• Intended effect• Tort and/or crime


5

Private and Criminal law

• Retroactive application• Lex certa• Presumption of innocence

• Burden of proof• Role of the court• Difference between legal and factual guilt

• Adversarial and Inquisitorial procedure

• Role of the court


6

Radbruch1. Justice; fairness, equality2. Legal certainty; positivity 3. Purposiveness; instrumentality


7

Hart1. How does law relate to and differ

from orders backed by threats?2. How does legal obligation differ from

and relate to moral obligation?3. What are rules and to what extent is

law an affair of rules?


8

1. Primary rules = Regulative rules• Impose duties

2. Secondary rules = Constitutive rules

• Confer powers (public or private)• Rules of recognition• Rules of change• Rules of adjudication


9

In a constitutional democracy:

• Legal rules that confer powers also restrict powers:

• They provide functionality in a way that provides protection

• Double instrumentality of the law• Constitutive and Limitative


10

What is privacy?


11

Legal framework of privacy and data protection: multi-layered

• International law within the Council of Europe: European Convention of Human Rights, art. 8. The Right to Privacy

• Supranational law within the European Union: Data Protection Directive 95/46/EC; [Framework Decision 2008/977/JHA]; ePrivacy Directive 2002/28/EC; Data Retention Directive 2006/24/EC

• National Constitutions, national lawPrivacy Course Leuven 28th June 2011

12

Article 8 ECHR Right to respect for private and

family life

1. Everyone has the right to respect for his private and family life, his home and his correspondence.

2. There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.


13

• The right to be let alone

• The right to control the disclosure of information about oneself

• The freedom from unreasonable constraints on the construction of one’s identity


14

Human right of privacy:

• Negative obligation for the state: a private sphere

• Positive obligation for the state: imposing duties on private parties


15

What is data protection?


16

Data protection directive[D 95/48/EC]

Art. 2: (a) 'personal data' shall mean any information relating

to an identified or identifiable natural person ('data subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity


17

d) 'controller' shall mean the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; (...);

(e) 'processor' shall mean a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller;


18

Definitions of consent art. 2/7/8

2 (h) 'the data subject's consent' shall mean any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed.

7 (a) the data subject has unambiguously given his consent

8 [sensitive data] (a) the data subject has given his explicit consent to the processing of those data, except where the laws of the Member State provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject's giving his consent


19

Fair processing art. 6:

1. Member States shall provide that personal data must be: (a)processed fairly and lawfully;(b)collected for specified, explicit and legitimate

purposes and not further processed in a way incompatible with those purposes. (…);

(c) adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed;

(d)accurate and, where necessary, kept up to date; (…)

2. It shall be for the controller to ensure that paragraph 1 is complied with.


20

Lawful grounds art. 7:

Member States shall provide that personal data may be processed only if:

(a) the data subject has unambiguously given his consent; or

(b) processing is necessary for the performance of a contract to which the data subject is party (…); or

(c) processing is necessary for compliance with a legal obligation to which the controller is subject; or

(d) processing is necessary in order to protect the vital interests of the data subject; or

(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller (…); or

(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed, except where (…).


21

Council Framework Decision DP Police/Justice

[2008/977/JHA]

• Scope: limited to the processing of personal data transmitted or made available between Member States.

Art. 3(2) Further processing for another purpose shall be permitted in so far as:

(a) it is not incompatible with the purposes for which the data were collected;

(b) the competent authorities are authorised to process such data for such other purpose in accordance with the applicable legal provisions; and

(c) processing is necessary and proportionate to that other purpose.

Art. 7 Automated individual decisions: A decision which produces an adverse legal effect for the data subject or significantly affects him and which is based solely on automated processing of data intended to evaluate certain personal aspects relating to the data subject shall be permitted only if authorised by a law which also lays down measures to safeguard the data subject’s legitimate interests.


22

• Art. 10 Logging and documentation 1. All transmissions of personal data are to be logged or

documented for the purposes of verification of the lawfulness of the data processing, self-monitoring and ensuring proper data integrity and security.

2. Logs or documentation prepared under paragraph 1 shall be communicated on request to the competent supervisory authority for the control of data protection. (…)

• Art. 16 Information for the data subject 1. MSs shall ensure that the data subject is informed regarding

the collection or processing of personal data by their competent authorities, in accordance with national law.

2. When personal data have been transmitted or made available between MSs, each MS may, in accordance with the provisions of its national law referred to in paragraph 1, ask that the other MS does not inform the data subject. In such case the latter MS shall not inform the data subject without the prior consent of the other MS.)


23

Art. 17 (Right of Access)

2. The Member States may adopt legislative measures restricting access to information pursuant to paragraph 1(a), where such a restriction, with due regard for the legitimate interests of the person concerned, constitutes a necessary and proportional measure: a) to avoid obstructing official or legal inquiries, investigations

or procedures; b) to avoid prejudicing the prevention, detection, investigation

and prosecution of criminal offences or for the execution of criminal penalties;

c) to protect public security; d) to protect national security; e) to protect the data subject or the rights and freedoms of

others.


24

ePrivacy Directive[D 2002/58/EC]

• Updated by Cookie Directive• Updated by Data Retention Directive

• Art. 1: equivalent protection of privacy and dp within the internal market + free movement of data

• Art. 2: about users not data subjects; about location data (geografic position of terminal equipment)


25

Art. 5 (3)

3. Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia, about the purposes of the processing. This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service.


26

Art. 6(3)

3. For the purpose of marketing electronic communications services or for the provision of value added services, the provider of a publicly available electronic communications service may process the data referred to in paragraph 1 to the extent and for the duration necessary for such services or marketing, if the subscriber or user to whom the data relate has given his or her prior consent. Users or subscribers shall be given the possibility to withdraw their consent for the processing of traffic data at any time.


27

Data Retention Directive[D 2006/24/EC]

• Recital 4: applicability art. 15 ePrivacy Directive (restricting the rights attributed if necessary in a democratic society)

• Recital 8: 2004 Declaration on Combating Terrorism

• Recital 9: Relation art. 8 ECHR• Recital 11: Demonstrated need for traffic data

• Art. 3: Obligation to retain traffic and location data

• Art. 4: Access only in specific cases in accordance with law – compliance with art. 8(2) ECHR


28

Art. 15 (ePrivacy Directive): restrictions of a set of rights of this Directive if this is necessary, approporiate and proportionate within a democratic society for a specified set of purposes.

1a. Paragraph 1 shall not apply to data specifically required by the Data Retentions Directive retained for the purposes referred to in Article 1(1) of that Directive.

1b. Providers shall establish internal procedures for responding to requests for access to users' personal data based on national provisions adopted pursuant to paragraph 1. (…)


29

• Data protection concerns the implementation of the FIPs (fair information principles) to data processing

• Crucial: • Distinction between personal and other

data; focus on PII• Ex ante purpose specification, ex post

purpose limitation• Default is freedom to process, on the

condition that fairness and transparency are guaranteed

• Ambiguous role for consent


30

What is Location Based Profiling?


31

The term profiling refers to:

• The inference of profiles from Big Data, on the basis of knowledge discovery in databases, machine learning, and other techniques to generate knowledge;

• The application of such profiles to new data (provided or leaked by a person) in order to target that person as a consumer, customer, suspect, citizen, employee etc.


32

Location based profiling

The construction and/or application of profiles based on datasets that include location data.


33

Types of Profiles:

1. Generated from data of many persons: group profile

a. Distributiveb. Non-distributive

2. Generated from data of one person: individual profile

3. Individual profile applied to the individual

4. Group profile applied to an individual whose data match the profile


34

Apply a group profile to an individual

• What happens if a non-distributive profile is applied to an individual?• Match but does not apply: incorrect• Match and applies: correct• Match irrespective of whether it applies:

fair• Match irrespective of whether it applies:

unfair


35

Implications for central tenets of constitutional democracy

• Privacy: the autonomy trap• Non-discrimination: fair treatment• Due process: contesting incorrect or unfair

application


36

What kind of privacy is at stake?


37

• Right to be left alone?

• Right to control the disclosure of information?

• Right to construct your identity without unreasonable constraints?


38

Use of ML to adapt to inferred human behaviours creates the inference problem

(Dwyer 2009)

• Invisible inferences impact the construction of personal identity


39

If machines define a situation as real, it is real in its consequences

• Autonomy-trap• Subliminal influences• Advanced red-lining• Lack of transparency• Power imbalances: transaction costs


40

ePrivacy Directive

• 2 (c) ‘location data’ means any data processed in an electronic communications network or by an electronic communications service, indicating the geographic position of the terminal equipment of a user of a publicly available electronic communications service;

• 9 (1) Where location data other than traffic data, (…), can be processed, such data may only be processed when they are made anonymous, or with the consent of the users or subscribers to the extent and for the duration necessary for the provision of a value added service. The service provider must inform the users or subscribers, prior to obtaining their consent, of the type of location data other than traffic data which will be processed, of the purposes and duration of the processing and whether the data will be transmitted to a third party for the purpose of providing the value addedPrivacy Course Leuven

28th June 201141

Art. 29 WP (WP115)Opinion November 2005

On the use of location data with a view to providing value added services


42

The key issue for the processing of location data has thus moved on from being a question of

storage (essentially: on what conditions should location data be stored by electronic

communications operators?) to being a question of use (how can we ensure that data are used for supplying value-added services

in accordance with the principles applicable to the processing of personal data?).

WP115, p. 3


43

Art. 29 WP (WP185)Opinion 13/2011

On Geolocation services on smart mobile devices


44

The device [e.g. smart phone, mh] is able to transmit location data from different sources

to any third party. This technical capacity should not be confused with the lawfulness of such data processing. If the default settings of

an operating system would allow for the transmission of location data, a lack of intervention by its users should not be

mistaken for freely given consent.

wp185, p. 13


45

It must be clear that such consent cannot be obtained freely through mandatory

acceptance of general terms and conditions, nor through opt-out possibilities. The default

should be that location services are ‘OFF’, and users may granularly consent to the switching

‘ON’ of specific applications.

Wp185, p. 14


46

Consent must be specific, for each of the different purposes that data are being

processed for. The controller must make it very clear if his service is limited to providing an answer to the voluntary question ‘Where

am I right now?’, or if his purpose is to create answers to the questions ‘Where are you,

where have you been and where will you be next week?’

In other words, the controller must pay specific attention to consent for purposes a data

subject does not expect, such as for example profiling and/or behavioural

targeting.

wp185, p. 15Privacy Course Leuven 28th June 2011

47

Data subjects also have a right to access possible profiles based on these location data. If location information is stored, users should

be allowed to update, rectify or erase this information.

The Working Party recommends that controllers seek secure ways to provide direct online

access to location data and possible profiles. It is key that such access is provided without

demanding additional personal data to ascertain the identity of the data subjects.

wp185, p. 18Privacy Course Leuven 28th June 2011

48

What kind of transparency?


49

Informed consent and informational self-determination

require

• That one can anticipate how one is and how one will be anticipated


50

The inference problem:Double Contingency

What I do depends on what you do which depends on what I do, which depends on what you do, which …

What I do depends on what I think you may do depending on what I do, which however depends on what you think I may do depending on what you may

do, which…


51

Parsons (1951: 14-15) distinguishes:

. . . between objects which interact with the acting subject and those objects which do not. These interacting objects are themselves actors or egos. . . . They will be referred to as social objects or alters. A potential food-object . . . is not an alter, because it does not respond to ego’s expectations and because it has no expectations of ego’s action; another person, a mother or a friend, would be an alter to ego.


52

Luhmann (1995: 131-2) thinks in terms of the interaction of autonomous systems:

Beginning is easy. Strangers begin by reciprocally signalling each other indications of the most important behavioral foundations: the definition of the situation, social status, intentions. This initiates a system history that includes as well as reconstructs the problem of contingency. As a result, the system increasingly is occupied with arguments about a self-created reality: with handling facts and expectations that the system itself has helped to create.


53

Thomas Merton referring to the Thomas-Theorem:

If men define a situation as real, it is real in its

consequences


54

Now we have:

If machines define a situation as real it is real in its

consequences


55

We need tools to help us in guessing and negotiating how we are being defined.

We need to move from using technologies to interacting with them.

Autonomy assumes that we sustain and resolve double anticipation

We thus need transparency of profiles, not merely the chance to hide our data

Without this transparency we fall in the autonomy-trap and privacy is an illusion


56

Art. 12 D 95/46 EC

Article 12: Right of access

Member States shall guarantee every data subject the right to obtain from the controller:

(1) without constraint at reasonable intervals and without excessive delay or expense:

(c) - knowledge of the logic involved in any automatic processing of data concerning him at least in the case of the automated decisions referred to in Article 15(1);


57

Art. 15 (1) D 95/46 EC[under Section VII: The Data Subject’s Right to Object]

Article 15: Automated individual decisions

1. Member States shall grant the right to every person not to be subject to a decision which produces legal effects concerning him or significantly affects him and which is based solely on automated processing of data intended to evaluate certain personal aspects relating to him, such as his performance at work, creditworthiness, reliability, conduct, etc.


58

2. Subject to the other Articles of this Directive, Member States shall provide that a person may be subjected to a decision of the kind referred to in paragraph 1 if that decision:

(a) is taken in the course of the entering into or performance of a contract, provided the request for the entering into or the performance of the contract, lodged by the data subject, has been satisfied or that there are suitable measures to safeguard his legitimate interests, such as arrangements allowing him to put his point of view, or

(b) is authorized by a law which also lays down measures to safeguard the data subject's legitimate interests.


59

Need for: Transparency Enhancing Tools

(TETs):

• What profiles do I match?• On the basis of which parameters?• What is their relative weight?• Which are the real-life consequences?

• Information obligation for data controllers?

• Counterprofiling ML technologies?• Human Machine Interfacing!Privacy Course Leuven 28th June 2011

60

An example of a legal TET: art. 34 Data Protection Act 2009 Germany

(2) Im Fall des § 28b hat die für die Entscheidung verantwortliche Stelle dem Betroffenen auf Verlangen Auskunft zu erteilen über

1 die innerhalb der letzten sechs Monate vor dem Zugang des Auskunftsverlangens erhobenen oder erstmalig gespeicherten Wahrscheinlichkeitswerte,2. die zur Berechnung der Wahrscheinlichkeitswerte genutzten Datenarten und3. das Zustandekommen und die Bedeutung der Wahrscheinlichkeitswerte einzelfallbezogen und nachvollziehbar in allgemein verständlicher Form.

Satz 1 gilt entsprechend, wenn die für die Entscheidung verantwortliche Stelle1. die zur Berechnung der Wahrscheinlichkeitswerte genutzten Daten ohne Personenbezug speichert, den Personenbezug aber bei der Berechnung herstellt oder2. bei einer anderen Stelle gespeicherte Daten nutzt.


61

Thank you for your attention!

Any questions?


62

Documents

The Surge of Data Analytics What transparency for what privacy? Mireille Hildebrandt (ICIS, LSTS, ESL)