Privacy by Design (PbD) is crucial here. We cannot shy away from saying it’s a good idea, but framing it as ‘critical’ is much closer to the mark. Dr. Ann Cavoukian’s developed framework is integral to embedding privacy in AI infrastructures. It is important to understand how AI developers can infuse PdD into reality alongside explaining the reasoning behind the importance of preserving user privacy.

Understanding PbD starts from the foundation of believing that privacy comes when the service is not looking for or pre-configured by users, but instead set as a default feature.

Understanding Privacy by Design: Principles at the Core

Privacy by Design is based upon the notion that privacy should be the natural default and not an optional feature one must find or switch on. Instead of responding to privacy violations, PbD has companies anticipate them and prevent them from occurring in the first place. Its seven design principles are not idealistic goals; they are pragmatic recommendations for integrating ethical data handling at every stage of the design process.

Picture Privacy by Design as building privacy into a cake rather than sprinkling privacy on top as sprinkles. PbD is an innovative approach to building privacy into systems in the first place.

Here are the seven main principles in more detail:

1. Proactive not reactive; preventive not remedial: Anticipate risks before they arise. Don’t wait for a breach to act.
2. Privacy as the default setting: Individuals shouldn’t have to request privacy. It should be automatic.
3. Privacy embedded into design: Build systems that make it impossible to forget privacy because it’s built in, not added later.
4. Full functionality by being positive-sum, not zero-sum: Achieve both privacy and innovation; one shouldn’t come at the expense of the other.
5. End-to-end security and lifecycle protection: Protect data from the moment it’s collected until it’s deleted.
6. Visibility and transparency: Systems must be open to inspection, review, and explanation.
7. Respect for user privacy: Keep the user at the center with simple controls and clear, honest communication.

The Unique Privacy Challenges in AI

AI is different from typical software. Its reliance on enormous collections of data and capacity to infer sensitive material from ostensibly harmless points of data make it highly invasive. Voice, text, image, or behavior-trained models can identify not only user tendencies but mood, political orientation, or state of health as well.

This poses a sequence of privacy threats:

• Over collection: AI is starved for data, and therefore developers overcollect.
• Inferred data: Models have the ability to make truly excellent predictions, often more than what users have expressed in so many words.
• Opacity: Most AI models are “black boxes,” where even the developers aren’t necessarily sure how the decisions are being made.

Ignoring privacy can result in:

• Fines and lawsuits under legislations such as the GDPR, the EU AI Act and the CCPA.
• Loss of customer and user trust.
• PR disasters that bury your brand.

Good privacy is not only good business, but good ethics as well.

Best Practices for Integrating PbD in AI Development

In order to design Privacy by Design properly for AI systems, developers need to be strategic as well as practical. Below are crucial steps to follow:

1. Begin with Privacy Impact Assessments (PIAs): Before creating anything, perform a PIA to discover privacy threats and analyze how your AI system processes information. This way, threats are identified and addressed upfront, instead of once it is deployed. Begin your AI project by questioning: 

• What information is required? 
• What are the threats? 
• How are users safeguarded? 

2. Adopt data minimization and purpose limitation: Collect data only if it’s needed to accomplish a precise, well-defined purpose. This minimizes risk and simplifies handling of privacy obligations. Refrain from the temptation to “collect now, decide later.”
3. Take advantage of privacy-enhancing technologies: Differential privacy adds noise to statistics, preventing data tracing back to individuals. Federated learning learns models on user devices, reducing central data aggregation. These technologies maintain utility while keeping user identities secure.
4. Encourage transparency and explainability: Transparency does not solely involve open-sourcing code but more importantly explaining in simple terms how the system functions, what information is used, and what the model is deciding. Interpretation of models and tools such as model cards can assist.
5. Ensure secure access and data encryption: Both in transit and at rest, data should be encrypted. Controls on access must be strong, restricting access to data by role and need. Regular audits should be performed to ensure compliance.
6. Build ethical oversight: Develop cross-disciplinary review boards consisting of technologists, legal specialists, ethicists, and community members. Such bodies can review projects for privacy, fairness, and unintended effects.
7. Design for user empowerment: Provide users with the ability to see, control, and remove their information. Provide privacy controls that are understandable and accessible. Opt-in is the norm, not sneaky default options or unclear text.

Lessons from the real world

Let’s see who’s doing it right and who didn’t:

• Apple has been a leader in on-device computing and differential privacy. Their health features, for instance, store personal data locally and anonymized.
• Google applies federated learning in its Gboard keyboard to allow for predictive text without ever transmitting what users are typing.
• But Clearview AI and Cambridge Analytica are cautionary tales. They were firms that did not respect user privacy and lost lawsuits, penalties, and long-term public distrust.
  • Clearview AI scraped billions of images without permission and was met with worldwide outrage.
  • Cambridge Analytica harvested Facebook data for political campaigns and sparked worldwide alarm about AI and privacy.

The Trade-Offs and Challenges Ahead

With the best of intentions, it’s hard to implement PbD for AI. There are compromises:

• Data minimization vs. performance: Data about people can restrict how much data you process, which can have an impact on model performance because lower numbers of data points can result in lower-performing models.
• Anonymity vs. fairness: Reducing bias relies on demographic information, which introduces new privacy issues. To be fair, there is often a requirement for data on race or gender, which is sensitive.
• Technical expertise: Federated learning or differential privacy is required to utilize these, which calls for expert know-how as well as computational resources.

These are challenges that are worthwhile overcoming. With privacy as a competitive advantage and a legal requirement, businesses embracing PbD will be far ahead of their competitors for long-term achievement.

What’s coming next?

Regulations are solidifying. The EU AI Act and other initiatives are establishing new norms. Meanwhile, technologies such as homomorphic encryption (so computation can be performed on encrypted information) and synthetic data (which simulates real data without revealing real users) are opening up new paths for privacy-led innovation. These technologies will help AI developers to prioritize how to create systems that safeguard people.

As AI reshapes society, privacy must not be treated as an afterthought. It’s a design choice that reflects an organization’s values, foresight, and respect for its users. Integrating Privacy by Design isn’t just about avoiding penalties; it’s about building systems that are ethical, resilient, and worthy of trust. If you’re building AI, you’re shaping the future. Make it one where people feel safe and respected. By using Privacy by Design, you’re not just avoiding trouble; you’re building trust, improving outcomes, and showing users you’ve got their back.

Every line of code and every product decision is an opportunity to do better. Start now. Make privacy the foundation, not the fix.

The post How to build trustworthy AI from the ground up with Privacy by Design? appeared first on TechGDPR.

GDPR compliance as a market differentiator 

Companies serious about GDPR compliance understand its role in maintaining their market position. Those who are proactive are quicker at placing themselves on a purchaser’s list of adequate suppliers. When processing data from people in Europe, the GDPR applies. It forces an organization to implement measures and maintain records of compliance. Even if an organization is not currently processing that data, building in regulatory compliance early supports future collaborations and partnerships with larger organizations and ensures the trust of product users.

Regardless of whether a software developer operates in a B2C, B2B or B2B2C context is irrelevant. The processing of personal data anywhere on that chain of services needs to comply with GDPR requirements. Thus achieving and maintaining compliance allows an organisation to be a supplier that implementing clients consider. For instance, a software developer for a small start up is able to integrate fundamental privacy by design and default principles in their design. This includes practices such as implementing end-to-end security, hashing, and other cryptographic measures.

Transparency makes the product more competitive if it is to be implemented through partnerships or sold as a SaaS. Procurement negotiations might still bring up specific questions and feature requests to be added to the agreements your organization signs as a vendor. By prioritizing compliance, any solution developed is more likely to remain on the list of suppliers worth considering especially if the negotiation deals with business in the EU. Implementing privacy preserving design features allows an organization the competitive edge of transparency.

Major fines

Tech giants, Facebook, Google and Amazon, regularly face severe fines for non compliance. These fines are essentially caused by deliberate ambiguity in their data processing and the fulfillment of their transparency requirements. Worse, they disregard their data controller obligations and get fined for a combination of hidden processing practices and implemented dark patterns. In May 2023, Meta, was hit with a 1.3 billion euro fine for lack of GDPR compliance. This is the largest fine to date. Amazon was fined for 746 million in 2021 for lack of user consent collection when advertising. When companies get fined, several factors come into play. This could potentially include their willingness to cooperate and implement corrective actions. However, a constant factor includes lack of transparency, misleading patterns and a lack of legitimization of processing.

However, most businesses are small-to-medium-sized enterprises (SMEs). This term is technically defined by the European Commission as a company with less than 250 employees. For an SME, GDPR compliance is harder to achieve due to proportionally reduced resources or access to expertise. Therefore, if an SME is able to achieve compliance, they recover the competitive advantage over larger players lost on operational costs. Tech giants are consistently pressured to maintain compliance due to their increased visibility. Therefore, compliance, when managed efficiently, is a defining competitive advantage for smaller companies.

GDPR compliance as a political or social issue 

When tech-savvy individuals go online, they tend to protect their own privacy by using strong passwords. Some examples of this includes increasingly using MFA where available or using pseudonyms and single use email addresses where possible. With the help of a few high profile breaches and updates to app marketplace practices and communication strategies, the average user has become more aware of the online privacy risks. Software developers tend to implement best security practices in their own use of software and apps. As a result, they are particularly best suited to understand the need for security. They are also specifically instructed to implement strong security practices and privacy design patterns such as content security policies for websites. As creators of technology, software developers have an ethical responsibility to protect the privacy of individuals and empower them to use their software or services more privately. 

Through implementing best design practices such as the minimization of cookies, the forced use of MFA, the encryption of user data, a privacy by default approach to design, designers create privacy-preserving environments. While the expectation might be that less tech-savvy individuals are likely to show relative indifference about their own privacy, one study entitled Caring is not enough: the importance of Internet skills for online privacy protection, argues that even if people do care they also need to be educated on how to protect their own privacy. It is not uncommon to feel helpless protecting one’s own data or safely using the internet. Typically, a lot of the burden for security falls, wrongfully, on the individual.

Should the average user be expected to know how to make use of encryption to feel safe online? 

For many, cookie banners are annoying interfaces, easily brushed away by clicking the “Accept all” button. Configuring a cookie banner to not set non-essential cookies by default, makes the organization compliant on that requirement. It also provides users with a choice. Amongst other principles, privacy by default also requires the developer to ensure the most private settings are set by default. Software designers, familiar with ePrivacy requirements, are able to notify the marketing team that silent opt-ins is illegal in the EU. This allows the organization to engage in discussions as to whether to design for compliance or to accept the risk. In accepting the risk, an organisation increasing user distrust for the benefit of tracking, profiling and advertising KPIs.

As digitization continues, there is a pervasive use of selling user data or mishandling personal information in the tech field. This trend occurs without much regard to the significance of this action. This has become regretfully normalized even though it is against the GDPR. This is likely due partially to many companies solely operating within the US. At the moment, the US does not have a federal governing law similar to the GDPR. Regardless, this precedent is pervasive.

People should have the right to use and access the internet and software related tools/services without being seen as a commodity. Through the use of tracking elements and abuse of consumer metrics, individuals are becoming commodified and sold as such. This should not be the case where individuals can be so easily manipulated and tracked through their actions online. When software developers prioritize GDPR compliance, they are able to help prevent the commodification of individuals by their company. 

GDPR compliance in software development as an intellectual challenge

It is easy to do things in a non secure manner. It would be easier to access one’s phone to text people if one didn’t have a password, but most individuals likely have a password on their phone to protect from strangers accessing the content on their device. Therefore, the easiest solution is not always the best solution. This stems from the common dilemma of convenience versus privacy that one is confronted with daily. Instead of seeing this as an issue, one should frame it a challenge. If one views compliance as an intellectual challenge of how to protect others, the issue becomes more intriguing and fun to solve. An issue bears the connotation of an obligation or nuisance. 

Individuals are motivated to do things either intrinsically or extrinsically. When a supervisor informs a developer that they must make the system compliant with the GDPR, that would be the definition of an extrinsic motivator as it is external; however, intrinsic motivation is a powerful and compelling motivator. Due to intrinsic motivation, this is part of the reason as to why computer games are fun to learn.

An intellectual challenge has a better and more enthralling connotation. This idea has been theorized since the 1950s and academics have postulated through research that intrinsic motivation is correlated with how challenging the activity is. Considering those who have a background in computer science are confronted with technical issues and problems to solve all the time, compliance is best viewed as an intellectual challenge to avoid the easiest solution but create the most secure solution. 

Concluding thoughts 

Compliance is the law. As a software developer, one will likely need to work to implement or maintain compliance with the GDPR. It is easy to see it as a tedious endeavor handed down to a higher up, who might not necessarily understand the ramifications of the technical assignment they are bestowing. Instead, one should view the GDPR through an intrinsically motivated lens as an intellectual challenge to protect the rights of individuals. There are other reasons as to why as a software developer one should care about the GDPR. This includes but is not limited to securing contracts and helping others with less knowledge of proper internet privacy practices.

The joy of the internet and technology should be able to benefit and be enjoyed by all individuals. Any individual regardless of their technical background and without the fear of loss of rights. The question should not be: “does one engage with technology and in doing so give up their right to privacy?” but rather the burden should fall less on the technically ignorant users and be built into technology inherently. 

If you are interested in taking your GDPR knowledge to the next level, dive into TechGDPR’s specialized training for developers. This course is designed to equip you with the skills and understanding needed to navigate GDPR compliance within your projects. It will help you ensure your software is up to standard and gain a competitive edge. Discover more and enroll today at GDPR for Developers – Online Course.

The post Why should software developers care about GDPR compliance? appeared first on TechGDPR.

Legal processes: EU-US data privacy framework, China’s outbound data rules, international transfer risk assessment, Australian small business to adopt data protection

The EDPB sees improvements under the EU-US Data Privacy Framework, but many more concerns remain. The improvements include the introduction of requirements embodying the principles of necessity and proportionality for US intelligence data gathering and the new redress mechanism for EU data subjects. However further clarifications are needed for:

• rights of data subjects,
• rules on automated decision-making and profiling,
• onward transfers, (eg, to sub-processors in the US), 
• the scope of exemptions, 
•  the practical functioning of the redress mechanism,
• temporary bulk collection, retention, and dissemination of data by the government, (targeted surveillance of foreign persons located outside the US under Section 702 FISA and Executive Order 12333).

Finally, the EDPB recognises the role of special advocates and the supervision of the redress mechanism by the Privacy and Civil Liberties Oversight Board. In addition, it is troubled by the general application of the Data Protection Review Court’s standard reply informing the complainant that either no covered violations were found or a determination requiring appropriate remediation was made, especially given that this decision cannot be appealed.

The German Data Protection Conference also assesses the risks of third-country authorities’ access to personal data processed in the EU/EEA. The mere possibility that a foreign public authority or parent company of a European subsidiary can demand the transfer of data does not constitute a data transfer in itself. However, if a processor does proceed with a data transfer under third-country laws or corporate law instructions, it needs to provide sufficient guarantees, through transfer impact assessments or suitable technical and organisational measures, to ensure GDPR compliance.

Meanwhile, the Cyberspace Administration of China, (CAC), started the approval of outbound data transfers.  All international data transfers from now on must follow one of three procedures in order to be legal: mandatory security assessment measures for significant data transfers, and state-approved standard contractual clauses or certification for less significant data sets. Typically, companies need to prepare a 180-page document mapping out the data flow and then justify to the local and national authorities why certain data must leave China. For less-significant cross-border transfers, newly released standard contractual clauses do not require approval, however, the CAC has the right to intervene at any moment. 

In Australia, small businesses with a 3 million dollar or less annual revenue may soon be required to abide by the Privacy Act, even though they are not currently required to protect user personal information or disclose how it is used. The 20-year-old exemption was introduced prior to businesses’ take-up of online platforms. Now experts say they are no longer a low risk for cybercriminals. Small business associations claim data security obligations will result in severe damages for the whole sector. The Australian government has not yet announced which changes it will adopt. Basically, companies would need to have a privacy policy, assure adequate data security measures, and delete data or de-identify it when no longer required.

Official guidance: international transfers definition, privacy by design and default for developers, deceptive design patterns, ROPAs, video surveillance

The EDPB updated guidelines on the concept of international transfers. A clarification was added regarding the responsibilities of the controller when the data exporter is a processor. In addition, further examples were added to clarify aspects of “direct collection” from individuals in the EU, as well as the meaning of “the data importer in a third country”, with further examples and illustrations. Processing of personal data outside the EU often involves increased risks, for example, because foreign authorities can gain access to the data. This needs to be identified and handled in order for the processing to be permitted according to the GDPR.

The Catalan data protection authority issued guidance on Privacy by design and by default for developers. The regulations governing data protection by design and default do not specify which particular technical and organisational measures must be put in place, says the document. The controller, as well as the developers of the technological solutions, must conduct a prior analysis before determining the necessary measures. Determining the nature, scope, context, and purposes of the processing is the controller’s responsibility. The risks associated with each available technology must be taken into account when choosing a specific technological solution. Collaboration with developers is crucial at this point. 

Overloading, Skipping, Stirring, Obstructing, Fickle, Left in the Dark – These are terms used to describe the main tactics employed in deceptive design patterns, and the EDPB has issued an update on how they apply to social media interfaces, and the best practices to recognise and avoid them. The guide offers assistance in design thinking processes for designers, but also alerts users of social media platforms, with numerous examples and illustrations.

The importance of records of data processing activities, (ROPAs), needs underlining says the Latvian data protection agency. A ROPA is not a document that can be developed, put on the shelf, and forgotten about, explains the regulator. The organisation can assign one or more responsible persons to maintain the register, (either in electronic, excel, or paper format). The responsible person can also be a data protection officer, whose duties include the creation and maintenance of the document. The organisation can include not only the mandatory amount of information for each data processing activity but also supplement the records with supportive documentation, for example, impact assessment reports.

Video surveillance is a strong invasion of privacy because it profoundly affects people’s thinking and actions, states the Estonian data protection agency. The smaller the area of surveillance, the better. The shorter you keep data, the better. Recordings may not be used for purposes other than the original objective, (with rare exceptions). Finally, visual warning signs should be always complemented with more detailed privacy notices on demand. 

Investigations and enforcement actions: security patches and ransomware, non-existent debts and data deletion, conditions for cookie walls, Tesla security camera improvements

The Irish data protection authority fined Centric Health 460,000 euros for a data breach caused by a ransom attack in 2019. The attack, which restricted access to patient data, hit 11 Primacare GP practices integrated into Centric Health’s IT system.  The attack affected the data of 70,000 patients. Of those, 2,500 had their data deleted with no backup available during attempts to mitigate the attack, the Irish Times reports. The investigation into Centric Health discovered ‘Calum’ ransomware on the system, which encrypts data and asks for payment to decrypt it. Back-ups of the system were also affected by the ransomware. 

A forensic expert, hired by Centric, did not find any evidence of data exfiltration: “No evidence of archive files consistent with the attacker compressing large amounts of data for exfiltration was found on any of the systems, but this does not definitively rule it out”. However the regulator’s investigation identified that a large number of patches were released by Microsoft in 2018 that should have been applied to the Windows Operating System by Centric. It demonstrated a serious lapse on the part of Centric and an inability to identify all software operating on its system at the time of the breach.

The Danish data protection authority examined the use of cookie walls in two different cases. Where the user can access the content of a website or service in exchange for the processing of their data, or by paying,  the requirements of data protection rules for valid consent are met concluded the regulator. The exception is when the service offered by consent is different from that offered by payment, and when users are not really presented with a free choice. 

The Dutch privacy authority decided against a fine after Tesla made security camera settings more privacy-friendly. Tesla used ‘Sentry Mode’ to help owners protect themselves against theft or vandalism by filming everyone nearby. Now the cameras respond only if the vehicle is touched; it does not automatically begin filming but the owner receives an alert on their phone; the headlights flash to indicate to the passersby that filming has begun; records are saved in the car and not shared with Tesla, and limited to no more than 10 minutes of footage. 

Finally, the Croatian data protection agency fined a telecommunication company for failure to maintain up-to-date and accurate data. The complainant stated that their personal data was processed by the company, despite not being their client for more than ten years. The respondent found out about this during a security incident notification she received from the telecommunication company and then confirmed by customer service. After the respondent’s inquiry, the company found that it was still processing their personal data, all due to the fact that the data controller linked the existence of a non-existent debt to the respondent for unknown reasons, which is why the computer system did not allow the deletion of data until the non-existent debt was not canceled manually. 

Data security: danger of low-tech hacks, UK’s new certification scheme, genomic data

The UK Information Commissioner’s Office has approved the new set of UK GDPR certification scheme criteria. The scheme is aimed at training and qualification for service providers and will enable their candidates to make informed choices when applying for training programs, having confidence that their personal data will be processed in accordance with the UK’s GDPR. This scheme follows three others: one offering secure re-use and disposal of IT assets and the other two looking at areas including age assurance and children’s online privacy.

The US cyber security expert Brian Krebs demonstrates how low-tech hacks cause high-impact breaches. Last month web hosting giant GoDaddy revealed a multi-year hack had given hackers access to company source code, login information for clients and employees, and customer websites. The incidents could have stemmed from a small number of GoDaddy employees falling for a sophisticated social engineering scam. Attacks using voice phishing or vishing frequently target workers who are based off-site. The phishers typically pose as members of the employer’s IT department when calling. The objective is to persuade the target to enter their login information at a website that the attackers have set up that looks like the company’s corporate email or VPN portal.

The US National Cybersecurity Center of Excellence has published a draft internal report on the cybersecurity of genomic data. Genomic data is immutable, associative, and conveys important health, phenotype, and personal information about individuals and their past and future. In some cases, small fragments of genomic data stripped of identifiers can be used to re-identify persons, though the vast majority of the genome is shared among individuals. The report proposes a set of solutions that address real-life use cases occurring at various stages of the genomic data lifecycle along with candidate mitigation strategies and the expected benefits of the solutions. Additionally, areas needing regulatory/policy enactment or further research are highlighted. The public comment period is now open through 3 April.

Big Tech: TikTok scrutiny, YouTube child data complaint

TikTok announced that it is creating a tool that will enable parents to prevent their teenagers from viewing certain content, as well as limit the amount of time spent on the app. TikTok, owned by China’s ByteDance, is currently facing an international backlash for illicit content, and data security concerns. The app has been banned from government-owned and work-related devices in the United States, and Canada. The European Commission also banned the app on its corporate devices and personal devices that might be connected to the official mobile network provided by the institutions within their premises. 

Finally, in the UK, a member of child advocacy group 5Rights, filed a complaint with the Information Commissioner’s Office, asking Google/YouTube to stop collecting children’s data and potentially make it liable for the maximum penalty- of as much as four percent of annual turnover. It is the first such complaint alleging a major tech firm has broken the new Age-Appropriate Design Code, The Guardian reports. Although YouTube officially forbids users under the age of 13 from accessing its main website, the complaint claims the company failed to ensure that younger users were abiding by the rules and only accessing the main platform with parental permission.

The post Data protection & privacy digest 18 Feb – 3 Mar 2023: practical application of the EU-US Data Privacy Framework remains a concern appeared first on TechGDPR.

Legal processes: threshold for cookies, advertising claims’ mediation, China’s outbound transfers

The EDPB approved a minimum threshold for the use of cookies and subsequent processing of the data collected. No cookies that require consent can be set without positive action expressed by the user, or purely on the grounds of the data controller’s legitimate interest. The absence of refuse options, visible and accessible at any time, on any layer of the banner, constitutes an infringement. The limitations, such as for strictly necessary technical cookies, must be indicated. Any confusing information, designs and colours are not acceptable.

The Spanish data protection agency AEPD announced a mediation system to expedite the resolution of advertising claims, (in Spanish). It has approved the modification of the Autocontrol Code of Conduct ‘Data processing in advertising activity’ , which includes out-of-court procedures to resolve individual’s complaints more quickly. Advertisers must respond within a maximum period of 15 days, proposing the actions they deem pertinent for mediation. The maximum duration of the procedure will be 30 days.

The Cybersecurity Administration of China has published guidelines on outbound data transfers of personal and important data from China to other jurisdictions, whitecase.com reports. Organisations must comply with these guidelines by 1 March or risk administrative, civil and criminal penalties. In certain cases the measures include security assessments and approval from the state before engaging in outbound data. Outbound data transfers in this case include:

• an entity in China actively sends data to a recipient in another jurisdiction, or 
• permits a person or entity outside China to access data generated in the course of the data processor’s operations in China;
• multinational intragroup transfers of data, and 
• operating centralised document management systems for global operations, with servers hosted outside China. 

Official guidance: consent evidence, data storage periods and deletion, TOMs, training, recruitment data

Denmark’s privacy regulator explained the balance between consent evidence requirements and data minimisation. The data controller should be able to demonstrate that the data subject has given consent. However, the rule only applies as long as the data processing is ongoing. After the end of the processing activity, (eg, the data subject has withdrawn their consent), ​​there is no obligation to demonstrate that evidence. Moreover, the data controller has a duty to delete personal and additional data without undue delay after consent withdrawal, (unless needed for claims to be established or defended and only for a short period of time).

The Portuguese privacy regulator CNPD published a guidance on technical and organisational security measures, aimed at data controllers and processors. The CNPD lists a set of TOMs that must be considered by organisations in their risk prevention and minimisation plans, (in Portuguese). The list is dynamic and not exhaustive due to rapid technological changes and is therefore subject to updates whenever necessary. The increasing number of security incidents in the past year revealed that if organisations had been equipped with adequate security measures, the risks would have been lower and the impact on the rights of data subjects smaller. 

The GDPR states that the organisation, (controller), is obliged to limit the storage of personal data with the intention that the data is not stored longer than is necessary to achieve its purpose. The Latvian privacy regulator DVI explains how to determine the data storage period, and what to do when it is expired. The organisation must have internal procedures in place in order to determine:

• that the purpose has been achieved, and the data cannot be further used for any other unrelated purpose ,(eg, if the deadline specified in the regulatory act has been reached, or the loss of the legal basis);
• the frequency with which the purposes of the data processing and their justifications will be reviewed;
• how to receive a signal that personal data has expired, and
• how to inform data subjects of these periods, (or the criteria that were taken into account to determine them), in the privacy policy. 

In the end, data must be deleted completely, without possibility of recovery. The deletion procedures must include finding persons responsible, location of the data, deletion follow-up, informing processors and other controllers, and the data subjects.

The Latvian regulator also issued a reminder of the importance of data protection training. It is necessary to familiarise employees with the framework created in the organisation for data protection and processing: cyber security, specific industry regulations, employee liabilities for violations, data breach responses, and reviewing procedures. A desired outcome would be: a customer is asked to provide his personal data for identification; if the client has questions about why this is necessary, the employee should be able to reasonably answer it and indicate that more detailed information is available in the privacy policy. 

A recruitment process necessarily involves the processing of a significant amount of personal data about candidates. The rise of new technologies has multiplied recruitment channels, (social networks, personalised advertising, specialized search engines), and communication tools used (videoconferencing, chatbots, mobile applications). It has also led to the creation of databases of a large volume allowing the use of artificial intelligence or the use of tools to assess the “soft skills” of candidates. In this context, the French regulator CNIL offers a guide and a set of practical sheets, Q&As, to support recruitment stakeholders in their compliance, (in French). 

Investigations and enforcement actions: game developers, spy pixels, psychometric tests, unwanted membership, Covid-related algorithms, email security

The UK’s ICO published Age Appropriate Design Code Audit, (AADC), of Facepunch Studios, a games developer. Facepunch does not require a user account, although some gameplay data and device information is collected in-game. Facepunch also share some personal data of users with third parties in order to operate parts of or functions within their games or services. The audit concluded that Age assurance measures in place should be improved, by assessing and reliably determining the actual ages of current UK child users, regularly monitoring the effectiveness of the third-party age gate used, and assessing which elements of an online service are appealing to or likely to be accessed by children. Where actual user ages are not established with certainty, the AADC standards should be applied to all users. 

The Danish data protection authority criticized Vækstfonden, (Denmark’s investment fund), for using spy pixels in its newsletters. As with the processing of personal data using cookies on websites, the use of spy pixels requires a processing basis according to the GDPR. Spy pixels were to analyze which articles the recipients clicked on in order to optimize the organisation and sending of the newsletters. But they had not observed the obligation to provide information regarding the processing. Vækstfonden has stated that they have changed suppliers for sending out newsletters and that the fund has updated its privacy policy. 

Spain’s AEPD fined Thomas International 40,000 euros for processing of sensitive data, Data Guidance reports. The complaint concerned a psychometric test provided by Agroxarxa, which was run by Thomas International. Though Agroxarxa stated that candidates were not required to provide sensitive personal data, the psychometric test requested it, adding that its provision was required by the HR department of Agroxarxa. Thomas International provided the same questionnaire to all clients that used its services, allowing for the processing of sensitive personal data even when not requested by the client.

In the US, the Federal Trade Commission is sending payments totaling more than 973,000 dollars to 17,064 people who lost money after NutraClick automatically enrolled them in unwanted membership programs for supplements and beauty products and misled consumers about when they had to cancel trial memberships to avoid monthly charges.

The Italian privacy authority has sanctioned three local health authorities, who, through the use of algorithms, had classified patients in relation to their Covid-related complications risks. Data of the patients had been processed in the absence of a suitable regulatory basis, without providing the interested parties with all the necessary information, (in particular on the methods and purposes of the processing), and without having previously carried out an impact assessment. 

Ireland’s privacy regulator fined a nursing homes operator. The credentials of a user account at a nursing home were captured on a fake website via a phishing email. This allowed the bad actor to set up email forwarding of all inbound emails to a third-party email account. Adequate technical and organisational measures could have included appropriate encryption of data being transferred over external networks, suitable phishing training, and regular testing of the safeguards. 

Meanwhile, the Swedish privacy regulator fined an insurance company for sending sensitive personal data via e-mail without sufficient protection. The email was only encrypted in transit. The encryption ended before the message had reached the final recipient and there was thus a risk that unauthorised persons could read the message in plain text after the encrypted transmission had ended.

Data security: ISO 31700 Privacy by Design, AI Risk Management Framework by NIST, taxonomy of ICT incidents, mobile data

The International Organisation for Standardisation has finally published the long-awaited ISO 31700. It establishes high-level requirements, (and use cases), for privacy by design to protect privacy throughout the lifecycle of a consumer product, including data processed by the consumer. This includes consumers’ personally identifiable information and other data processed, (collected, used, accessed, stored, and deleted), or intentionally not collected or processed by the organisation and by the digital goods and services within the digital economy. The preview document is available here.

America’s NIST published an AI Risk Management Framework. AI systems and the contexts in which they are deployed are frequently complex, making it difficult to detect and respond to failures when they occur. AI risk management can drive responsible uses and practices by prompting organisations and their internal teams who design, develop, and deploy AI to think more critically about context and potential or unexpected negative and positive impacts. Core concepts remain human centricity, social responsibility, and sustainability.

In Italy, the National Cybersecurity Agency offered a new taxonomy of incidents on ICT assets, subject to mandatory notification. After initial access, execution, installation & lateral movements, it talks about “Actions on objectives”, which refers among other things to: collecting from within the network confidential and sensitive data or detecting their presence outside the systems authorised to process them; exfiltrating data from within the network to external resources or manipulating, degrading, disrupting, or destroying systems, services, or data. 

Could your phone be leaking data that you are not aware of? asks the US NIST. It goes on to explain how control of the data may be lost due to unauthorized or unwarranted transmission of data to an external source. Mobile data leaks can also occur when mobile device privacy settings or applications are misconfigured. This includes personally identifiable information, financial and health data, video and audio files, information about the way an individual uses the Internet, and location tracking data. Thus, organisations have to:

• Manage mobile device settings;
• Preserve confidentiality, by employing data in transit protection;
• Keep mobile operating system and applications up to date;
• Apply zero trust principles;
• Separate work from personal information, by deploying a Bring Your Own Device;
• Apply App vetting to identify security and privacy risks;
• Apply Mobile Threat Defense solutions that monitors for device-, app-, and network-based attacks.

Big Tech: the Digital Services Act’s deadline, Replika AI chatbot ban

The European Commission has published non-binding guidance to help very large online platforms and search engines within the scope of the Digital Services Act, (DSA), to comply with their requirement to report user numbers in the EU, at the latest by 17 February, and at least once every six months afterwards, (for small businesses and start-ups the info must be provided on the request of authorities). In the nearest future very large online platforms and search engines will be subject to additional obligations, such as making a risk assessment and taking corresponding risk mitigation measures on users’ rights online. 

Replika, an AI chatbot company, is not allowed to use the personal information of Italian users, according to Italy’s data protection agency, which cites risks to children and emotionally fragile individuals. The US-based start-up offers users personalised avatars that talk and listen to them. The lack of an age-verification mechanism, such as filters for minors or a blocking mechanism if users do not explicitly state their age, was one of many issues that the Italian regulator highlighted. Additionally, the processing of personal data by the company is illegal because it cannot be justified by a contract that a minor is unable to sign.

The post Data protection & privacy digest 19 Jan – 3 Feb 2023: threshold for cookies, spy pixels, consent evidence, data storage and deletion appeared first on TechGDPR.

Ad Tech: Meta personalised ads, technical identifier system in App Store, IAB Europe’s consent mechanism

Meta has a few months to reassess the valid legal basis for how Facebook and Instagram use personal data to target advertising in the EU after the media giant was issued fines totaling 390 million euros. It related to a 2018 change in terms of service at Facebook and Instagram following the implementation of the GDPR where Meta sought to rely on the so-called “contract” legal basis for most of its data processing operations. Services would not be accessible if users declined to press the “I agree” button. The final decision states that Meta cannot use a contract as a legal basis for processing data on the grounds that the delivery of personalised ads is not necessary to fulfil Facebook’s contract with its users.

The final decision came under pressure from many privacy regulators in the EU/EEA, (under the one-stop-shop mechanism). In particular, the lead Irish regulator DPC disagreed with a number of counterparts and took the side of Meta that Facebook and Instagram services include, and indeed appear to be premised on, the provision of a personalised service that includes personalised or behavioural advertising. This reality is central to the bargain struck between users and their chosen service provider, and forms part of the contract concluded at the point at which users accept the terms of service. When it became clear that a consensus could not be reached, the regulators referred the dispute to the EDPB who later issued a binding decision.

Finally, the DPC was criticised for not freshly investigating all Facebook and Instagram data processing operations directed by the EDPB in its binding decision. The DPC believes that EDPB does not have a general supervision role akin to national courts in respect of independent national authorities and it is not for the EDPB to instruct and direct an authority to engage in an open-ended investigation. The DPC is now considering bringing an action for annulment before the CJEU in order to set aside the EDPB’s directions. 

The French privacy regulator CNIL fined Voodoo, a smartphone game publisher, 3 mln euros for using an essentially technical identifier for advertising without the user’s consent. The investigation showed: 

• When Voodoo offers an application on the App Store, Apple provides an ID for vendor technical identifier system, (IDFV), allowing the publisher to track users’ use of its applications. 
• An IDFV is assigned for each user and is the same for all applications distributed by the same publisher. 
• By combining it with other information from the smartphone, the IDFV tracks people’s browsing habits, including the game categories they prefer, in order to personalise the ads seen by each of them.
• When opening a game application, a first Apple-designed page, (App Tracking Transparency or ATT), is presented to the user in order to obtain their consent to the tracking of their activities on the applications downloaded on their phone. 
• When the user refuses the “ATT solicitation”, a second window is presented by Voodoo indicating that advertising tracking has been disabled while specifying that non-personalised advertisements will still be offered. 

During its checks, however, the CNIL found that when a user expresses their refusal to be the subject of advertising tracking, Voodoo still reads the technical identifier associated with this user and always processes information related to their browsing habits for advertising purposes, therefore without their consent. 

Similarly, the CNIL sanctioned Apple Distribution International with 8 mln euros for not having obtained the consent of French iPhone users, (using App Store), before depositing identifiers used for advertising purposes. Identifiers pursuing several purposes, including for advertisements broadcast, were by default automatically read on the user’s device without obtaining consent. 

Meanwhile, the Belgian data protection authority approved IAB Europe’s action plan for its Transparency and Consent Framework – a widely used approach to collecting and managing consent for targeted advertising cookies in the EU. A year ago, a Belgian regulator fined the company 250,000 euros for multiple violations of the GDPR including the absence of a legal basis for processing. The measures proposed in the action plan stem directly from the assumption that:

• The TC String, (a digital marker containing user preferences), should be considered personal data, and 
• IAB Europe acts as a (joint) controller for the dissemination of TC Strings and other data processing done by TCF participants. 

Both of these assumptions have been referred to the CJEU by the Belgian Market Court for a preliminary ruling, and such a referral was explicitly asked for by the Belgian authority itself in the course of the proceedings.

Legal processes and redress: administrative and civil remedies, data subject access rights

The CJEU has ruled that administrative and civil remedies provided for by the GDPR may be exercised concurrently with and independently of each other. Given that the parallel exercise of administrative and civil remedies could give rise to contradictory decisions, (eg, when the supervisory authority refuses a request from an individual and the latter brings the appeal to the court), a Hungarian court asked the CJEU whether one of those remedies might take priority over the other. The EU top court stipulated that it is for each Member State to ensure, through adopting the procedural rules, that the concurrent and independent remedies provided for by the GDPR do not call into question the effective remedy before a court or tribunal. 

The CJEU also confirms a broad definition of data subject access rights, (DSARs): data controllers must reveal the specific recipients of any data they shared unless it is impossible or excessive to do so. The court emphasized that DSARs are necessary to exercise other rights under the GDPR, such as the right to rectification, erasure, and restriction of processing. The related case concerns an individual’s request to a postal and logistical services company to disclose the identity of recipients to whom the company had disclosed, (sold), the individual’s personal data. At the same time, the access right should not adversely affect the rights or freedoms of others, including trade secrets or intellectual property and in particular the copyright protecting the software. However, the result of those considerations should not be a refusal to provide all information to the data subject. 

Investigations and enforcement actions: failed data access requests and health-related data consent

The Italian privacy regulator fined I-Model, (promoter and web agency specialised in the selection and management of personnel for events and communication), 10,000 euros for failure to adequately respond to access requests and unlawful processing, Data Guidance reports. After receiving confirmation from I-Model that the personal data in its files had been deleted, the complainant continued to receive job offers from the company. I-Model gave a formal response to the complainant’s requests for deletion of personal data on two occasions, merely stating that it had removed the data from the mailing list, but, in fact, continuing to store and process the data without a legal basis. 

The Finnish data protection commissioner fined an unnamed company 122,000 euros for not having consent in accordance with the GDPR to process data on body mass index and maximum oxygen uptake capacity. The company had asked for consent to process health-related data in general but had not specified the data it collected and processed and for what purposes. The disciplinary board paid special attention to the fact that the large-scale processing of health data is a key part of the company’s core business. Importantly, the company’s service is also available in other EU and EEA countries, which is why the issue was discussed in cooperation between supervisory authorities. One of the complaints had been initiated in another Member State. 

The Finnish regulator also imposed a penalty of 750,000 euros on the debt collection company Alektum. It had not responded to requests regarding a data subject’s rights. The company also complicated and slowed down the investigation by avoiding the supervisory authority. As a result, several complainants did not get access to their own data and did not have the opportunity, for example, to correct it or monitor the legality of the processing. Any organisation is obliged to respond to requests regarding the rights of the data subject within one month. If there are many requests or they are complex, a data controller can state that it needs an additional time of up to two months. In the case of one complainant, Alektum explained the non-response by saying that it no longer processed the data subject’s personal data. Even then, the company should have responded to the request.

Official guidance: AI supervision and transparency requirements, Privacy by Design as an international standard, EU whistleblowing scheme report

The Norwegian data protection authority has published an experience report on how you can get information about the use of Artificial Intelligence. Transparency requirements related to the development and use of AI are normally divided into three main phases:

• development of the algorithm,
• application of the algorithm,
• post-learning, and improvement of the algorithm.

The GDPR requirements for information are general and basically the same for all phases. But there are also requirements that only become relevant for certain phases. For example, the requirement to inform about the underlying logic of AI will usually only be relevant for the application phase. The full guidance, (in Norwegian), is available here. 

In parallel, the Dutch data protection authority is starting a new unit, which should give a boost to the supervision of algorithms. During 2023 it will identify the risks and effects of algorithm use, (cross-sectoral and cross-domain). Where necessary, collaborations will be deepened further with the other supervisors, (eg, on transparency obligations in the various laws, regulations, standards, and frameworks), preventing discrimination and promoting transparency in algorithms that process personal data. 

Denmark’s data protection authority looked at the newly approved EU whistleblowing scheme. During the first year of implementation, two out of three reports concerned data protection, (eg, regarding insufficient security of data processing, and monitoring of employees). That is partly because the national data protection authority was mandated to receive and process reports regarding breaches of EU law in a number of areas, including public tenders, product safety, environmental protection, food safety, reports of serious offenses, or other serious matters, including harassment. Nonetheless, many people associate the scheme with data protection only. All cases concluded in 2022 were completed within the deadlines, with an average time frame of 27 days.

Finally, the International Organisation for Standardisation is about to adopt ISO 31700 on Privacy by Design for the protection of consumer products and services. ISO 31700 is designed to be utilised by a whole range of companies — startups, multinational enterprises, and organisations of all sizes. It features 30 requirements and guidance on:

• designing capabilities to enable consumers to enforce their privacy rights, 
• assigning relevant roles and authorities, 
• providing privacy information to consumers, 
• conducting privacy risk assessments, 
• designing, establishing, and documenting requirements for privacy controls, 
• lifecycle data management, and 
• preparing for and managing a data breach. 

However, it won’t initially be an obligatory standard.

The post Data protection & privacy digest 3 – 17 Jan 2023: personalised ads dilemma: contract as a legal basis, in-apps tracking via technical identifiers appeared first on TechGDPR.

Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.

Essentially, data controllers need to consider data protection throughout the core of their organisational activities. As such, those who work to create technologies involved in data processing must consider the implications of their software in the context of the GDPR. While Data Protection by Design and Data Protection by Default are separate concepts, they are complementary. Implementing Data Protection by Design makes achieving Data Protection by Default much easier, with the reverse being true as well.

Building privacy into the heart of data processing operations and systems is part of Privacy by Design, while ensuring that the data subject’s rights are protected as a matter of standard operations is part of Privacy by Default. These concepts have been in existence since long before the GDPR came into fruition, but under the GDPR became important requirements. 

Achieving Privacy by Design and Privacy by Default is not a simple process when one’s main focus is developing and delivering products. As such, familiarity is of the essence. 

What are the most important considerations involved with these concepts, and how may data processors implement them? 

What is Privacy by Design? 

The concept of Privacy by Design was created by Ann Cavoukian in the 1990s and presented in her 2009 “Privacy by Design: The Definitive Workshop.” As Cavoukian stated, the concept of privacy by design encompasses more than just technology. Rather, Privacy by Design dictates that privacy is taken into account throughout the design process and operations of broader organisations and systems. There are seven foundational principles which constitute the basis of Privacy by Design:

1. Measures are proactive rather than reactive. They anticipate risks and try to prevent them from occurring, rather than allowing for invasions of privacy and minimising them after the fact. These measures are woven into the culture of an organisation. 
2.  Privacy is protected by default. Personal data is protected without requiring the data subject to act. In practice, the most intrusive privacy features of an app, such as geolocation tracking when that is not called for by the user, are turned off when the product is first installed or better yet, every time the app is launched.
3. Privacy is embedded into the design of systems and organisations. It is not an afterthought, but an essential part of a system’s functionality.  Designing for privacy can be quite costly so planning for it rather than redesigning to accommodate it, is a wise cost management strategy.
4. Privacy is not implemented to the detriment of other interests, but rather to accommodate all legitimate interests with full functionality. 
5. Privacy is extended throughout the lifecycle of all the data collected.  
6. Data processing activities are visible and transparent. The business practices and technologies involved are clear to both users and providers.  
7. Measures for privacy are user-centric: the interests of data subjects are at the forefront of operations. 

Cavoukian stresses that ensuring privacy does not come at the cost of other critical interests, but rather ought to complement other organisational goals. 

But how does a team implement these foundational principles into their technological design?

Methods of Implementing and Measuring Data Protection by Design for Technology Developers

The European Data Protection Board adopted guidelines for Data Protection by Design and by Default on 20 October 2020. These guidelines clarify how to implement the requirements of Article 25 in organisations that process personal data. 

Certain concepts, such as pseudonymisation, noise addition, substitution, K-anonymity, L-Diversity, T-closeness, and differential privacy, can help increase the privacy of an individual data subject, or give key information about the privacy of a data set. As a result, individuals working to achieve Privacy by Design should think about these methods as tools they can use, though not as absolute methods in and of themselves. 

• Pseudonymisation replaces direct identifiers, such as names, with codes or numbers, which allows data to be linked to an individual without the individual themself being identified. This data is still within the scope of the GDPR. Truly anonymous data is not considered personal data, and thus its processing does not fall under the scope of the GDPR. However, anonymous data, that is, data which cannot be linked back to a data subject, is different from pseudo-anonymous data in that pseudo-anonymous data has the potential to be re-linked to a data subject, even if in a difficult or indirect way. Thus, pseudo-anonymous data is still subject to the requirements of the GDPR. 
• Noise addition is often used in conjunction with other anonymisation techniques. In this technique, attributes which are both confidential and quantitative are added to or multiplied by a randomised number. The addition of noise still allows for the singling out of an individual’s data, even if the individual themself is not identifiable. It also allows for the records of one individual to be linked, even if the records are less reliable. This linkage can potentially link an individual to an artificially added piece of information. 
• Substitution functions as another method of pseudonymisation. This is where a piece of data is substituted with a different value. Like the addition of noise, substitution ought to be used in conjunction with other data protection measure in order to ensure the data subjects’ rights are protected. 

Means of measuring the privacy of data 

• K-anonymity, a type of aggregation, is a concept that is based around combining datasets with similar attributes such that the identifying information about an individual is obscured. This helps to determine the degree of anonymity of a data set. Essentially, individual information is lumped in with a larger group, thereby hiding the identity of the individual. For example, an individual age could be replaced with an age range, which is called generalisation. By replacing specificity with generality, identifying information is harder to obtain. Suppression is another method of achieving better k-anonymity. This is where a certain category of data is removed from the data set entirely. This is best-suited in cases where the data in that category would be irrelevant in regards to the purpose of the data processing. It is important to note, however, that k-anonymity itself does not guarantee that sensitive data will be protected. 
• L-diversity is an extension of k-anonymity. It provides a way of measuring the diversity of sensitive values in a dataset. Essentially, l-diversity requires each of the values of sensitive attributes within each group to be well-represented. In doing so, l-diversity helps to guarantee that a data set will be better protected against re-identification attacks. This is a helpful consideration in cases where it is possible for attributes in k-anonymised data sets to be linked back to an individual.
• T-closeness expands on l-diversity and is a strategy of anonymisation by generalisation. T-closeness creates equivalent classes which are similar to the initial distribution of attributes in a data set and is beneficial in situations where a data set must be kept as close as possible to its original form. Like k-anonymity and l-diversity, t-closeness helps to ensure that an individual cannot be singled out in a database. Additionally, these three methods still allow for linkability. What l-diversity and t-closeness do which k-anonymity cannot, is provide the guarantee that inference attacks against the data set will not have 100% confidence. 
• Differential privacy aims to ensure the privacy rights of an individual data subject are protected by ensuring the information someone obtains from the output of data analysis is the same with or without the presence of the data of an individual. This allows for data processing without an individual’s information being singled out or the individual being identified. Differential privacy provides privacy through a specific type of randomisation. The data controller adds noise to the data set, with differential privacy revealing how much noise to add. 

Privacy Design Strategies

Researchers have identified eight privacy design strategies, divided into two groups: data-oriented strategies and process-oriented strategies. Data-oriented strategies include: minimise, hide, separate, and abstract. These strategies focus on how to process data in a privacy-friendly manner. Process-oriented strategies include: inform, control, enforce, and demonstrate. These strategies focus on how an organisation can responsibly manage personal data. Article 5 of the GDPR identifies the basic principles to follow when processing personal data: lawfulness, fairness and transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality. These principles help guide the strategies, which can be exemplified by the concepts and methods of pseudonymisation, noise addition, substitution, k-anonymity, l-diversity, t-closeness, and differential privacy. These methods and processes of measuring privacy should stand as part of larger efforts to work to implement data protection into the fabric of data processing operations. 

How can technology developers learn more about Privacy by Design and Default?

Data Protection by Design and Data Protection by Default are fundamental concepts to adhere to under the GDPR. Teams which keep these concepts in mind at every level of their organisations will keep the rights of data subjects at the forefront of their operations, and thus go further in working towards GDPR compliance. Technology developers have a special role in making sure that their products have the capacity to be used in a GDPR compliant manner, and thus should have extensive familiarity with these concepts. Those interested in learning more about GDPR compliance, from the perspective of what a technology developer should consider, can participate in TechGDPR’s Privacy & GDPR Compliance Course for Developers. This course delves into what individuals working in technology development need to know about data protection so they can better understand their own duties and responsibilities under the requirements of the GDPR. 

The post Privacy by Design for Technology Development Teams appeared first on TechGDPR.

Reaching a high level of compliance takes time. As with most endeavours that rely on change management (e.g. setting up a quality management system or an information security management system), staff training plays a crucial role in aligning operations with business goals. Documenting evidence of GDPR training goes a long way in objectively displaying the journey achieved to date.

Data Protection by Design and GDPR Training

The GDPR dictates that a company must weave privacy into the very fabric of a processing operations through the principles of Data Protection by Design and Data Protection by Default, outlined in Article 25 of the GDPR. As such, the individuals responsible for building the technology involved in data collection and processing must pay special heed to the fundamental principles of privacy. Finally, while software designers might not be the first line of defence in terms of achieving GDPR compliance, one could indeed see them as the last line of defence in this regard, and as such ought to be able to recognize the challenges and complexities involved in achieving GDPR compliance.

Thus, encouraging tech developers as well as software engineers and coders to engage in GDPR training achieves two goals for companies looking to enact strong GDPR compliance measures. It both enables designers to include legal requirements in the handling of data and documents company efforts in delivering compliant solutions as a vendor (data processor) or as an implementer (data controller). As Recital 78 of the GDPR states, 

When developing, designing, selecting and using applications, services and products that are based on the processing of personal data or process personal data to fulfil their task, producers of the products, services and applications should be encouraged to take into account the right to data protection when developing and designing such products, services and applications and, with due regard to the state of the art, to make sure that controllers and processors are able to fulfil their data protection obligations.

GDPR and Technology Neutrality

Though there are debates as to whether or not the GDPR prevents the development of advanced technology, the GDPR was not created with the intention of stifling technological innovation. An important feature of the GDPR is that it is technologically neutral, meaning that it does not discriminate between two different technologies with the same functionality or between existing and new technologies. Though its technological neutrality makes the GDPR a much more effective and widely applicable piece of legislation, it also makes it quite a bit more difficult for developers to implement.

Rather than regulating technology itself, legislation regulates only the effects of technology use and the conditions surrounding the actual processing. In essence, the GDPR does not offer specific guidelines for compliance for those developing technology. The GDPR was created to apply to technological developments taking place after its coming into force, so it is up to those developing technology to make sure that their work supports GDPR compliance. 

What challenges do developers of data processing technology face in GDPR Compliance?

New technology brings unique challenges under the GDPR. This is the case with IoT, blockchain, cloud computing, and artificial intelligence. Certain aspects of each of these might, at first glance, appear to be inherently incompatible with GDPR compliance. Since it is always best not to ignore the law, the development of new technology must take data protection into special consideration. GDPR training thus becomes a market differentiator for these organisations. Awareness of the available data subject rights, as well as the obligations of the data controller and data processor, is necessary to prevent incompatibilities between legislation and feature developments.

GDPR compliance is a complicated, though necessary, endeavour. Given that organisations are required to adhere to the principles of Privacy by Design and Privacy by Default along with the core data protection principles, developers need to consider data protection at every phase of the design and development process. In order to develop products that have the potential to be used in a GDPR-compliant way, employees need to comprehend the rights of data subjects and the obligations of the data controller and the data processor which the GDPR outlines.

Without an adequate knowledge of GDPR requirements, it is impossible for individuals or teams to implement the necessary measures to ensure an adequate protection of data subject rights. Awareness of the challenges behind GDPR compliance and the possible conflicts between data protections and certain technologies, achieved through GDPR training, is a fundamental first step towards solving these issues and creating products and organisations that thoroughly protect the rights of data subjects. 

While compliance and GDPR training for employees are no simple tasks for an organisation to undertake, especially fast-developing fields of technology, there are many resources available to help staff understand and best implement GDPR-appropriate measures in their respective roles. One of the most convenient ways for companies to train their technical staff on the GDPR is through the use of an online course. 

TechGDPR has created a unique GDPR training online course specifically for individuals working in technical roles, such as software developers, software engineers, devops, software architects, and more. This course will help clarify the GDPR requirements for technology developers and give them the tools they need to achieve GDPR compliance within their organisations and products.  Though the GDPR does not outline specifications for training requirements in this regard, the extensive requirements of the Regulation and the principles of Data Protection by Design and Data Protection by Default mean that creators of data processing technology help methodically consider which requirements apply and navigate them autonomously. 

The post Why is GDPR training important for technology teams? appeared first on TechGDPR.

Why do GDPR assessments on AI matter?

If you are a company, regardless of size, that already implements, or wishes to introduce, AI tools or apps into the workplace that interacts with humans without carrying out an in-depth assessment that evaluates risks, acquiring both foreseen and unforeseen penalties, then your company may face penalties. Foreseen risks are fairly obvious risks the company did not take necessary and obligatory steps to prevent them from becoming heightened security threats. Unforeseen risks result from a company not carrying out a Data Protection Impact Assessment (DPIA), or not assessing the technology in-detail through human oversight/intervention on the individual level; thus allowing some form of negligence to creep in. This would result in several GDPR violations such as impacting the rights and freedoms for data subjects (Article 12-22), which would otherwise have been averted by privacy by design. It is nearly impossible to assess and predict all risks; however,the objective is more that of displaying user-centricity rather than runaway enthusiasm for the capabilities of the technology thus enabling trustworthy AI with the users. 

Risk assessments by product designers that objectively surface risks for the data subjects are particularly challenging -a reality legislators did not ignore. To that effect, the need to assess technology from the perspective of the data subject (as embodied in Art.35.9’s requirement to solicit the views of the individuals whose data will be subjected to the technology) illustrates the intention to provide for a feedback loop in product design, the same way designs are tested on consumers in market research for example.

GDPR Fines related to Artificial Intelligence 

In May 2021, the Spanish data protection Authority (AEPD) imposed two fines totaling  €1.5 million against EDP ENERGÍA, SAU under articles 6, 13 and 25. One of the key elements in the fines was how DPA based their decisions on the infringement of Articles 6 and 22 were instrumental to the infringement of Article 13. Recall the HR example mentioned above, imagine your HR department not vetting apps or tools being introduced through candidate applications that do use AI capabilities Did your department inadvertently discriminate against potential candidates, thus eradicating a central purpose of HR -that of promoting and sustaining diversity in the workplace. In 2018, Reuters reported that Amazon’s new recruiting engine excluded women from the candidate pool. As a result, the system learned to disqualify anyone who attended a women’s college or who listed women’s organizations on their resume. Amazon has since scrapped and implemented a more “water-down” recruitment system, however, AI in Human Resources is expected to grow. Ultimately, and more concerning, the company has violated anti-discrimination laws which in turn, exposes the company to penalties. Under the GDPR, these penalties range from a simple order to alert the processing to being barred from processing data and or being fined. 

Therefore, the disadvantages of not putting in the ground work to ethically evaluate tools that may or may not have AI capabilities likely incurs high costs, lack of trust among your employees and company reputation at stake for further partnerships. 

Why ethical assessments are essential for GDPR compliance

To be, or not to be ethical?

One may not always know how to scope ethical questions in today’s world of big data, data collection, AI and ML capabilities; i.e. what is intrinsically right or wrong in regards to collecting large amounts of data, or health data concerning children for example? Today, many private or public organizations -including governments- understand the stakes of considering ethics and its importance in data collection and utilization. The GDPR further embeds ethics into law within the EEA. The GDPR safeguards the rights and freedoms of data subjects by keeping organisations in line with data protection, privacy and ethics. This is notable for instance in the requirements of GDPR Art.5.1.a, lawfulness, fairness and transparency and Art. 5.1.b. purpose limitation providing for a heightened requirement to communicate and to align the processing to what is expected by the subject, what is necessary to the processing. The principle of privacy by design mentioned previously is however introduced by the GDPR in Article 22 and Recital 71. 

The European Commission introduced a proposal for an EU regulatory Framework on artificial intelligence (AI) in April 2021. The Framework will be a complement to the GDPR’s regulation of AI in Articles Art. 13 , 15-22, 25, and 25 and intends to focus on specific utilisation of AI systems and associated risks. Waiting for it to be published and come into force is however not the recommended approach. Investing years into product development only to find out that the product will need to be overhauled to satisfy data protection requirements prior to its release will prove dramatic. Tell-tale signs of this happening occur when co-innovation partners start pulling out of discussions. Here at TechGDPR and in preliminary discussions we have, albeit rarely, come in contact with products that are ethically questionable or intrinsically at odds with data protection. With a sharp eye for the current and future trends in regulation, we help innovators understand where their products require consolidation.

As a proactive start, consider the available assessment checklists created by supervisory authorities to guide private and public organizations, to ethically assess tools and their AI features. 

Can AI comply with privacy by design requirements?

AI technology and machine learning requires large amounts of data to even function or bring out a workable algorithm. A strong proposition of the technology is its use of data lakes in innovating ways. From the outset this is at odds with data protection law that requires any processing to have a stated purpose before it is performed.

One can argue there is not an explicit law nor regulation enacted that fully clarifies  how companies can assess a tool’s ethical footprint. Be that as it may, the duty remains for companies to ensure Privacy by Design under the GDPR. Checklists and assessment methodologies abound, created to guide organizations to assess tools and their AI capabilities. 

We recommend product teams to start early and take a proactive role by engaging their DPO, data protection, legal, IT and information security teams.

The post Artificial Intelligence and Privacy by Design appeared first on TechGDPR.

Legal processes and redress: GDPR jurisdictional reach, CNIL’s regulatory win over Google, CJEU case laws summary

A recent UK Court of Appeal decision emphasizes the broad geographic scope of both the EU GDPR and the UK GDPR, but also ongoing uncertainty regarding the jurisdictional reach, according to the JD Supra publication. In the given case, the court had allowed a claim for contravention of the GDPR to be served on various US parties. In particular, the claimant commenced proceedings against a US-based news outlet for a series of articles and social media posts making a number of “unflattering” allegations about the claimant. In deciding whether to grant permission (to serve a claim outside of the UK jurisdiction) the court had to determine whether the claimant’s allegations that the GDPR applied had a real prospect of success. 

Of particular note was the intention of the defendant to offer goods/services to EU/UK individuals when considering whether a data controller has an ”establishment” in the EU/UK. In the given case the platform expressly solicited european subscriptions (available in sterling and euros) and had secured a number of UK/EU subscribers (albeit only 6). However the court stated that the UK Information Commissioner should be invited to participate in the case to assist the court when it comes to make a final determination. You can read more details of the case in the original judgment.

In France, the Council of State confirmed the competence of the CNIL to impose sanctions on cookies outside the one-stop shop mechanism. The decision follows an appeal by Google LLC and Google Ireland Ltd against the 100 mln euros fine imposed by the CNIL in 2020. The case relates to dropping advertising cookies on the users computers through the google.fr webpage and its search engine without prior consent or satisfactory information. In its decision, the CNIL found a couple of violations of national legislation transposing the ePrivacy Directive, (The Data Protection Act). The Council of State noted that the cookies in question were being implemented within the activities of Google France, and the CNIL was competent under the above law. It therefore did not have to refer the case to the Irish Data Protection Authority, which is the lead authority for Google companies under the GDPR’s one-stop shop mechanism. Read the full decision (in French) here. 

The Court of Justice of the European Union, (CJEU), has published a fact sheet on personal data protection, including the EU legal framework and the court’s judgements and opinions in such areas as: a) compatibility of secondary EU law with the right to the protection of personal data; b) processing of personal data within the meaning of ePrivacy Directive; c) main data protection concepts such as lawful processing, controllership; d) transfer of personal data to third countries; e) protection of personal data on the internet, intellectual property rights, user consent; f) the competent supervisory authorities, territorial application of EU legislation, etc.

Official guidance: US surveillance laws, right of access, Connected TV, NRP data, Information security vs IT security 

In Germany the Data Protection Conference has published, (only in German), its expert opinion on US surveillance laws. In particular, for the applicability of Section 702 of the US Foreign Intelligence Surveillance Act (FISA), the term “electronic communication service provider” does not only include classic IT and telecommunications companies, but also companies such as banks, airlines, hotels or shipping service providers. Additionally, it is not necessary in every case for the services to be made available to the public. It may be sufficient, for example, for a company to provide an email service to its employees. Moreover, request arrangements for some datasets may relate to all data in the company, even when the communication service has nothing to do with the main entrepreneurial activity. The report also deals with the questions of whether European companies operating in the US are subject to problematic US law and whether FISA 702 applies extraterritorially. 

The EDPB has published its recently adopted Guidelines on data subject rights – Right of access. The right of access to data subjects is enshrined in Art. 8 of the EU Charter of Fundamental Rights, and is further developed by more specific and precise rules in Art. 15 of the GDPR. However, the right of access according to data protection law is to be distinguished from similar rights with other objectives, for example the right of access to public documents which aims at guaranteeing transparency in public authorities’ decision-making and good administrative practice. The right of access includes three different components:  

• Confirmation as to whether data about the person is processed or not. 
• Access to this personal data, and  
• Access to information about the processing, such as purpose, categories of data and recipients, duration of the processing, data subjects’ rights and appropriate safeguards in case of third country transfers.

The EDPB guide includes numerous examples and illustrations for data controllers on how to interpret and assess the request, how to answer it, checking limits and restrictions, how to provide access, timing and format, how to deal with requests made by a third party, etc.

The Interactive Advertising Bureau Europe has published its guide to Connected TV (CTV) targeting and measurement solutions. Some contextual flags and metadata segments allow app publishers or CTV channel providers to create identifiers by channel, by genre, or by context for targeting purposes. According to the report, this is still in its infancy but is one of the fastest growing areas across the CTV landscape, (eg, Comscore have already launched more advanced CTV cookie-free audience targeting in Europe based on meta-data, content ID and app bundle IDs). According to the guide, these contextual segments use a “crosswalk between audience behaviours and privacy-friendly contextual signals empowering brands to target CTV content that is the strongest predictor of audience behaviours without user-level identifiers”. Read the full document here.

The transfer and the generalised and undifferentiated automated processing of Passenger Name Record (PNR) data are compatible with the fundamental rights to respect for private life and to the protection of personal data, according to the CJEU Advocate General, (Pitruzzella). By contrast, a generalised and undifferentiated retention of PNR data in a non-anonymised form can be justified only where there is a serious, actual and present or foreseeable threat to the security of the Member States, and only on condition that the duration of such retention is limited to what is strictly necessary. The PNR Directive requires the systematic processing of a significant amount of air passengers data entering and leaving the EU (in the fight against terrorism and serious crime). It also provides Member States with the possibility to apply the directive to intra-EU flights. That is not to forget the importance of an independent supervisory authority in verifying the lawfulness of that processing, conducting investigations, inspections and audits and dealing with complaints lodged by any person concerned. 

The Swedish privacy authority, IMY, published a blogpost, (in Swedish), on differences between Information security and IT security. Although information today is to a very large extent produced and provided via IT systems, information security concerns all types of information, including, for example, information in paper format. Information security is usually divided into two legs: administrative security and technical security. Data protection is often associated with various technical measures such as firewalls, encryption and the like, but administrative security is at least as important:

• Technical security is typically divided into two parts: physical and IT security. Physical security is things like alarms, code locks to office rooms, safes to protect sensitive information stored on IT equipment or in paper format. IT security is about everything from VPN connections and antivirus to intrusion detection and backup.
• Administrative security is about ensuring that there are appropriate policies, routines and instructions in place that describe how information should be handled in the organization, for example how employees should handle information, but also how to manage permissions to different IT systems. 

Data breaches, investigations and enforcement actions: failed proof of consent, multi factor authentication, encryption

The Spanish data protection agency AEPD has punished Garlex Solutions, (an energy supply consultancy), with a 15,000 euro fine over insufficient legal basis for data processing. The claimant received a phone call by the claimed entity with an offer to “renew” an electricity supply contract. She subsequently received an SMS with a link to an electricity supply contract with Aldro Energia, in which their personal data appeared. The claimant stated it was obtained and processed without their consent. The defending party said that the claimant was contacted with the objective of offering very good conditions for the supply of electricity by Aldo Energia, for which the defendant is a contracted marketer. The usual procedure is to explain the offer and only if the person is interested and provides their data, is the link to a pre-contractual deal sent. The AEPD ruled against, as the burden of proof always lies with a data controller, the claimed entity could not provide documentation proving that it had the consent of the claimant to use her personal data and send her a pre-contract. Even if the company obtained the claimant’s data, it did not obtain her consent for its treatment and therefore incurs a violation of Art. 6 of the GDPR. 

Datatilsynet issued the notification of an approx 200,000 euro fine to the Storting – Norway’s parliamentary administration for not implementing two-factor authentication, DataGuidance reports. In 2020, the Storting was exposed to data breaches, but since then has not implemented appropriate technical and organizational measures to achieve a sufficient level of security. The attackers had downloaded data, including personal information from email accounts, about elected representatives and the Storting’s employees, including, among other things, bank and account information, date of birth, as well as health information. Possible consequences for those affected by the attack could be the misuse of identity, the misuse of payment cards and the use of information for extortion. The Norwegian regulator believes that if two-factor authentication had been carried out at an earlier stage, the chance of a successful attack would have been considerably smaller. The Storting has three weeks to provide feedback with their views on the case and then Datatilsynet will assess the feedback and make a final decision.

The Swedish IMY issued administrative sanction fees totaling 180,000 euros against the Uppsala Region after finding that the regional and hospital boards had not taken appropriate security measures when handling sensitive personal data. The IMY has received two reports of personal data incidents including sensitive personal data sent without encryption to recipients in and outside Sweden. This concerns emails with patient data that have been sent automatically to the relevant healthcare administrations within the region, and manually – to researchers and doctors within the region, as well as the storage of patient data in the hospital’s e-mail server. The investigations also show that the processing of personal data in both cases took place in violation of the region’s own guidelines, and also indicate shortcomings in the organizational measures to protect the data against unauthorized access. 

New York’s Attorney General announced a 600,000 dollar agreement with EyeMed Vision Care that resolves a 2020 data breach that compromised the personal information of approximately 2.1 mln consumers nationwide, including tens of thousands in New York state. EyeMed experienced a data breach in which attackers gained access to an EyeMed email account with sensitive customer information. The compromised information included consumers’ names, mailing addresses, Social Security numbers, identification numbers for health and vision insurance accounts, medical diagnoses and conditions, and medical treatment information. The intrusion permitted the attacker access to emails and attachments with sensitive customer information dating back six years prior to the attack. The attacker also sent approximately 2,000 phishing emails from the compromised email account to EyeMed clients, seeking login credentials for their accounts. The investigation found that EyeMed had failed to implement:

• multi factor authentication for the affected email account, (the account was accessible via a web browser and contained a large volume of consumers’ sensitive personal information);
• adequate logging of its email accounts, which made it difficult to investigate security incidents.

Data security: DP Engineering

The EU Agency for Cybersecurity, ENISA, published its report on Data Protection Engineering. The document can be perceived as part of data protection by Design and by Default. It aims to support the selection, deployment and configuration of appropriate technical and organizational measures in order to satisfy specific data protection principles as set out in Art. 5 of the GDPR. The guide helps with the selection of the anonymization and pseudonymisation schemes, data masking and privacy-preserving computations, access, storage, transparency, intervenability and user control tools, connection with the DPIA, and privacy enhancing technologies. The report provides conclusions and recommendations for relevant stakeholders.

Big Tech: WhatsApp privacy policy, Google’s legal fails and victories, Big data & media sector

Consumer complaints have prompted the EU Commission to give WhatsApp until the end of February to clarify changes to its privacy policies. It is unclear if the new rules infringe EU consumer protection laws. Spearheaded by the European Consumer Organisation, (BEUC), the complaint adds WhatsApp has been unfairly pressuring users to sign up to the new policies, which include sharing some data with Facebook and other companies under the Meta umbrella. When the privacy update was announced it was condemned worldwide, with some abandoning the service for other platforms like Telegram and Signal.

Plaintiffs struggling with California’s voluminous Invasion of Privacy Act in an attempt to bring a class action against Google have had their hopes definitively dashed. A Federal judge has denied them any further route forward under another of the Act’s many articles. Two claims were dismissed, notably ruling a users’ disabling of Google tracking their browsing activity via a button did not contractually oblige Google to do so, as the act of clicking did not unilaterally create a contract between Google and the user, despite the possibility, the judge noted, that the consumer might assume it did. More details in the article by Jurist.org.

Meanwhile Arizona just got hotter for Google, where a judge has ruled in favour of the state’s Attorney General, and will send a lawsuit to jury trial, according to Reuters. Lawyers for parent company Alphabet tried to get the case, which focuses on allegations Google deceived clients with misleading smartphone location tracking settings, thrown out of court. Four other state Attorney Generals have launched similar lawsuits, building on the Arizona case, which was filed in 2020.

The UK Department for Digital, Culture, Media & Sports has also published an analytical report on how user data shapes the media sector. It appears that upstream providers of digital devices, several large tech companies, are able to exert control over how data can be shared, accessed and used by other organisations, including media businesses. Here are some examples from the report:

• Currently, many media businesses rely on third party cookies to gather data on user behaviour beyond their own website/app.
• Google’s announcements, (and subsequent delays), of their intention to restrict use of third party cookies via their services is of great concern to many media organisations. Google’s ‘Privacy Sandbox’ will likely end up driving more business in Google’s own direction. 
• Social media and tech platforms host and distribute a huge amount of the content that press publishers produce. When this happens, these host/distributor platforms have access to first party user data. The publishers, unless the consumer is asked for additional consent, do not.
• Some TV organisations felt that data about their shows and viewers was being ‘ringfenced’ by the companies who control the operating systems on TVs—the TV manufacturers and large tech firms. The companies, such as Amazon, Google or Apple, were perceived to have a huge amount of control both over what people see and what data is available to the other media providers whose content is watched on them. 
• Smart speakers and third-party listening platforms were creating a barrier to data access by traditional radio groups, etc. Read the full report here.

The post Weekly digest January 24 – 31, 2022: GDPR jurisdictional reach, US surveillance laws, DP Engineering appeared first on TechGDPR.

Alongside the excitement, there are concerns. Among them, is how to address data privacy and the concern between data privacy and artificial intelligence is most pronounced in the General Data Protection Regulation (GDPR).

The GDPR is designed to protect the privacy of EU citizens and give them more control over their personal data. It aims to establish a new relationship between user and system – one where transparency and a standard of privacy are non-negotiable. Artificial Intelligence (AI) is a set of technologies or systems that allows computers to perform tasks involving a simulation of human intelligence including decision making or learning. In order to do so, the technology or system collects voluminous amounts of data (called Big Data) and namely personal data. AI (especially Machine Learning [ML] algorithms) and Big Data go hand in hand, which has led many to question whether it is possible to use AI while still protecting fundamental personal data protection rights as outlined in GDPR.

Applying the GDPR to machine learning and artificial intelligence

The GDPR–a sprawling piece of legislation–applies to artificial intelligence when it is under development with the help of personal data, and also when it is used to analyze or reach decisions about individuals. GDPR provisions that are squarely aimed at machine learning state “the data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.” (Article 22 and Recital 71). Also noteworthy are Articles 13 and 15 which state repeatedly that data subjects have a right to “meaningful information about the logic involved” and to “the significance and the envisaged consequences” of automated decision-making.

It is clear that the regulation expects the technologies like AI to be developed while taking into consideration the following principles:

• fairness,
• purpose limitation,
• data minimisation,
• transparency, and
• the right to information.

The principles mentioned above are supposedly some of the major challenges facing AI to adapt to the new world of GDPR. The problem is because most of the machine learning decision-making systems are “black boxes” rather than old-style rule-based expert systems, and therefore fail to comply with the GDPR requirements of transparency, accountability, and putting the data subject in control.

Solutions and Recommendations to make Artificial Intelligence GDPR-friendly

Some data sets used to train AI systems have been found to contain inherent biases, which results in decisions that unfairly discriminate against certain individuals or groups. To become GDPR compliant, the design, development and use of AI should ensure that there are no unlawful biases or discrimination. Companies should invest in technical research to identify, address and mitigate biases.

One way to address bias in trained machine learning models is to build transparent models. Organizations should improve AI systems transparency by investing in scientific research on explainable artificial intelligence. They should also make their practices more transparent ensuring individuals are informed appropriately when they are interacting with AI and provide adequate information on the purpose and effects of AI systems.

With respect to data minimisation, the developers should start from carrying out research on possible solutions that use less training data, anonymisation techniques and only solutions that explain how systems process data and how they reach their conclusions.

There is need for privacy-friendly development and use of AI. AI should be designed and developed responsibly by applying the principles of privacy by design and privacy by default.

Organizations should conduct data protection impact assessment at the beginning of an AI project and document the process. A report by the Norwegian Data Protection Authority, “Artificial intelligence and privacy” suggests that the impact assessment should include the following as a minimum:

• a systematic description of the process, its purpose, and which justified interest it protects;
• an assessment of whether the process is necessary and proportional, given its purpose;
• an assessment of the risk that processing involves for people’s rights, including the right to privacy; and
• the identification of the measures selected for managing risk.

Tools and methods for good data protection in Artificial Intelligence

In addition to impact assessment and the documentation of the process to meet the requirements of transparency and accountability, the Norwegian Data Protection Authority report mentioned above includes tools and methods for good data protection in AI. These methods reportedly have not been evaluated in practice, but assessed according to their possible potential. The methods are divided into three categories:

1. Methods for reducing the need for training data.
2. Methods that uphold data protection without reducing the basic dataset.
3. Methods designed to avoid the black box issue.

1. Methods that can help to reduce the need for training data include:

• Generative Adversarial Networks (GANs) have the potential to advance the power of neural networks and their ability to “think” in human ways. It might be an important step towards inventing a form of artificial intelligence that can mimic human behavior, make decisions and perform functions without having a lot of data.
• Federated Learning is a privacy-friendly and flexible approach to machine learning in which data are not collected. In a nutshell, the parts of the algorithms that touch the data are moved to the users’ computers. Users collaboratively help to train a model by using their locally available data to compute model improvements. Instead of sharing their data, users then send only these abstract improvements back to the server.
• Matrix Capsules are a new variant of neural networks, and require less data for learning than what is currently the norm for deep learning.

2. The field of cryptology offers some promising possibilities in the area of protecting privacy without reducing the data basis, including the following methods:

• Differential privacy is the leading technique in computer science to allow for accurate data analysis with formal privacy guarantees. The mechanism used by differential privacy to protect privacy is to add noise to data purposefully (i.e. deliberate errors) so that even if it were possible to recover data about an individual, there would be no way to know whether that information was meaningful or nonsensical. One useful feature of this approach is that even though errors are deliberately introduced into the data, the errors roughly cancel each other out when the data is aggregated.
• Homomorphic encryption can help to enforce GDPR compliance in AI solutions without necessarily constraining progress. It is a crypto system that allows computations to be performed on data whilst it is still encrypted, which means the confidentiality can be maintained without limiting the usage possibilities of the dataset.
• Transfer Learning enables one to train Deep Neural Networks with comparatively little data. It is the reuse of a pre-trained model on a new problem. In other words, in transfer learning, an attempt is made to transfer as much knowledge as possible from the previous task, the model was trained on, to the new task at hand.

3. Methods for avoiding the black box issue include:

• Explainable AI (XAI) plays an important role in achieving fairness, accountability and transparency in machine learning. It is based on the idea that all the automated decisions made should be explicable. In XAI, the artificial intelligence is programmed to describe its purpose, rationale and decision-making process in a way that can be understood by the average person.
• Local Interpretable Model-Agnostic Explanations (LIME) provides an explanation of a decision after it has been made, which means it isn’t a transparent model from start to finish. Its strength lies in the fact that it is model-agnostic which means it can be applied to any model in order to produce explanations for its predictions.

The GDPR requires that technologies like AI and machine learning take privacy concerns into consideration as they are developed. With the GDPR, the road ahead will be bumpy for machine learning, but not impassable. The adoption of the measures and the methods discussed above can help to ensure that AI processes are in line with the regulation. These could also go a long way to achieving accountable AI programs that can explain their actions and reassure users that AI is worthy of their trust.

The post How to develop Artificial Intelligence that is GDPR-friendly appeared first on TechGDPR.