Data science and privacy regulation
1 like3,227 views
This document summarizes key points about data science and privacy regulation: 1. Regulation aims to alter behavior according to standards to achieve defined outcomes, and can involve standard-setting, information gathering, and modifying behavior. 2. With "big data", problems arise for the laissez-faire conception of privacy regulation due to market failures, insider threats, and mass surveillance capabilities. 3. Designing for privacy is important, such as data minimization, decentralization, consent requirements, and easy-to-use privacy interfaces. The "data exhaust" from ubiquitous data collection threatens privacy in Europe.
![Bulk vs. targeted surveillance
President Obama’s NSA Review Panel :
"Although we might be safer if the government had ready access to a massive storehouse of
information about every detail of our lives, the impact of such a program on the quality of life and
on individual freedom would simply be too great… We recommend that the US Government should
examine the feasibility of creating software that would allow the National Security Agency and other
intelligence agencies more easily to conduct targeted information acquisition rather than bulk-data
collection.”
Deputy Prime Minister, 4 Mar 2014 :
“[O]ur current framework assumes that the collection of bulk data is uncontroversial as long as
arrangements for accessing it are suitably stringent. I don’t accept that... [S]trong access controls
are vital to prevent employees from going on ‘fishing expeditions’ once a store of data exists. But the
case for collection itself has to be made, not assumed.”](https://image.slidesharecdn.com/datascienceandprivacyregulation-180222113644/85/Data-science-and-privacy-regulation-13-320.jpg)
![GDPR Art. 23 DP by design & default
1. …the controller… shall…implement appropriate and proportionate technical and organisational
measures and procedures in such a way that the processing will meet the requirements of this
Regulation and ensure the protection of the rights of the data subject… data protection by
design shall be a prerequisite for public procurement tenders… [and] procurement by entities
operating in the water, energy, transport and postal services sector
2. The controller shall ensure that, by default, only those personal data are processed which are
necessary for each specific purpose of the processing and are especially not collected,
retained or disseminated beyond the minimum necessary for those purposes, both in terms of
the amount of the data and the time of their storage. In particular, those mechanisms shall
ensure that by default personal data are not made accessible to an indefinite number of
individuals and that data subjects are able to control the distribution of their personal data.
See Korff & Brown (2010)](https://image.slidesharecdn.com/datascienceandprivacyregulation-180222113644/85/Data-science-and-privacy-regulation-14-320.jpg)
Data science and privacy regulation
- 1. Dr Ian Brown a personal view @1br0wn Data science and privacy regulation
- 2. Overview 1. What is regulation? ⬜ Definitions ⬜ Science as a regulator 2. Privacy and consent - problems for the laissez-faire conception of privacy regulation with “big data” 3. Designing for privacy - will the “data exhaust” be shut off?
- 3. Lessig’s (1996) “Pathetic Dot” modalities of Internet regulation Brown and Marsden (2013) “Iceberg” model of Internet regulation Regulation is “The sustained and focused attempt to alter the behaviour of others according to defined standards and purposes with the intention of producing a broadly identified outcome or outcomes, which may involve mechanisms of standard-setting, information-gathering and behaviour modification” (Black, 2002)
- 4. Do politics have (scientific) artefacts (or irreproducible results)? “highly persuasive similes are at work: pious stories, seemingly reaped from research, suggesting certain general theoretical insights. Variously adapted, they are handed down: in the process, they acquire almost doctrinal unassailability.” (Joerges 1999) Scientists, and scientific communities, have norms, values, processes too - paradigms and prejudices (Kuhn and followers - see Chalmers (2013)) Hence, the need for responsible research and innovation Science as a regulator
- 5. Overview 1. What is regulation? 2. Privacy and consent - problems for the laissez-faire conception of privacy regulation with “big data” ⬜ Market failures ⬜ Insider threats ⬜ The Digital Panopticon 3. Designing for privacy - will the “data exhaust” be shut off?
- 6. Market failures Information asymmetry – data gathered ubiquitously and invisibly in a way few understand Privacy policies unreadable and difficult to verify/enforce Most individuals bad at immediate benefit v deferred, uncertain cost decisions Privacy risks are highly probabilistic, cumulative, and difficult to calculate Information industries highly concentrated (DG Competition and FTC investigations) Brown (2014)
- 7. Insider threats Information required Price paid to ‘blagger’ Price charged Occupant search not known £17.50 Telephone reverse trace £40 £75 Friends and Family £60 – £80 not known Vehicle check at DVLA £70 £150 – £200 Criminal records check not known £500 Locating a named person not known £60 Ex-directory search £40 £65 – £75 Mobile phone account not known £750 Licence check not known £250 “What price privacy?”, Information Commissioner’s Office (2006)
- 9. Overview 1. What is regulation? 2. Privacy and consent - problems for the laissez-faire/”buyer beware” conception of privacy regulation with “big data” 3. Designing for privacy - will the “data exhaust” be shut off?
- 10. Designing for privacy Data minimisation key: is your personal data really necessary? Limit & decentralise personal data collection, storage, access and usage – enforced using cryptography Protects against hackers, corrupt insiders, and function creep Users should also be notified and consent to the processing of data – easy-to-use interfaces are critical. What are defaults? Jedrzejczyk et al. (2010)
- 11. EU data ‘exhaust’ concerns Source: European Commission (2016) Flash Eurobarometer #443 Data Protection in the EU, p.30
- 12. Euro constitutional protections ECHR, 1950 Reaffirming their profound belief in those fundamental freedoms which are the foundation of justice and peace in the world… §8 Everyone has the right to respect for his private and family life, his home and his correspondence §9 Everyone has the right to freedom of thought, conscience and religion §10 Everyone has the right to freedom of expression §11 Everyone has the right to freedom of peaceful assembly and to freedom of association with others EU Charter of Fundamental Rights, 2012 The peoples of Europe, in creating an ever closer union among them, are resolved to share a peaceful future based on common values… §7 Everyone has the right to respect for his or her private and family life, home and communications. §8 1. Everyone has the right to the protection of personal data concerning him or her. 2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified...
- 13. Bulk vs. targeted surveillance President Obama’s NSA Review Panel : "Although we might be safer if the government had ready access to a massive storehouse of information about every detail of our lives, the impact of such a program on the quality of life and on individual freedom would simply be too great… We recommend that the US Government should examine the feasibility of creating software that would allow the National Security Agency and other intelligence agencies more easily to conduct targeted information acquisition rather than bulk-data collection.” Deputy Prime Minister, 4 Mar 2014 : “[O]ur current framework assumes that the collection of bulk data is uncontroversial as long as arrangements for accessing it are suitably stringent. I don’t accept that... [S]trong access controls are vital to prevent employees from going on ‘fishing expeditions’ once a store of data exists. But the case for collection itself has to be made, not assumed.”
- 14. GDPR Art. 23 DP by design & default 1. …the controller… shall…implement appropriate and proportionate technical and organisational measures and procedures in such a way that the processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject… data protection by design shall be a prerequisite for public procurement tenders… [and] procurement by entities operating in the water, energy, transport and postal services sector 2. The controller shall ensure that, by default, only those personal data are processed which are necessary for each specific purpose of the processing and are especially not collected, retained or disseminated beyond the minimum necessary for those purposes, both in terms of the amount of the data and the time of their storage. In particular, those mechanisms shall ensure that by default personal data are not made accessible to an indefinite number of individuals and that data subjects are able to control the distribution of their personal data. See Korff & Brown (2010)
- 15. Conclusion Technology developments can have a significant social impact – societies can shape/regulate the values Internet technologies embed if they wish (Brown, Clark & Trossen 2010) - data science equivalents? There are very significant legal regulatory constraints in Europe on collection, retention, and use of personal data - can’t be wished away These are questions not just for computer scientists, but also lawyers, economists, sociologists – and citizens and their representatives
- 16. References J. Black (2002) Critical Reflections on Regulation. Australian Journal of Legal Philosophy 27, p.26. I. Brown (2014) The economics of privacy, data protection and surveillance. In J.M. Bauer and M. Latzer (eds.) Research Handbook on the Economics of the Internet. Cheltenham: Edward Elgar. I. Brown, D. Clark and D. Trossen (2010) Should Specific Values Be Embedded In The Internet Architecture? Re-Architecting the Internet: Proceedings of CO-NEXT 2010, New York, NY: ACM Press. I. Brown and C. Marsden (2013) Regulating Code: Good Governance and Better Regulation in the Information Age. Cambridge, MA: MIT Press. A. Chalmers (2013) What is this thing called science? 4th edition. McGraw-Hill Education. L. Lessig (1996) The New Chicago School. The Journal of Legal Studies 27(S2) pp.661–691. L. Jedrzejczyk, B. A. Price, A. K. Bandara and B. Nuseibeh (2010) On The Impact of Real-Time Feedback on Users’ Behaviour in Mobile Location-Sharing Applications, Symposium on Usable Privacy and Security, Redmond. D. Korff and I. Brown (2010) New Challenges to Data Protection. European Commission DG Freedom, Security and Justice. A. McDonald and L.F. Cranor (2008) The Cost of Reading Privacy Policies. I/S 4 p.543. B. Joerges (1999) Do politics have artefacts? Social Studies of Science 29(3) pp.411-431.