Data portability

According to DataPortability Project, data portability is the ability for people to reuse their data across interoperable applications.

Data portability is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. closed platforms, thus subjecting them to lock-in. Data portability requires common technical standards to facilitate the transfer from one data controller to another, thus promoting interoperability.

In a mixed economy there are capitalist incentives that motivate businesses to guard their respective assets. Governments allow businesses to protect such assets via limited-term Intellectual Property Rights. Even so, it often remains an ongoing task for public agencies to help overcome the urge of businesses, in this case acting as data controllers, to guard their pools of data on their customers, known as personal data or personally identifiable information too zealously. In the interest of promoting exchanges of data that would be beneficial to general welfare, in many cases considered consumer protection, the following related activities have been introduced by public-minded actors in the European Union and Switzerland.

European Union

The right to data portability was laid down in the European Union's General Data Protection Regulation GDPR passed in April 2016. The Regulation will apply to data processors in countries outside the EU as well under certain circumstances. "Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller." [1][2] Earlier the European Data Protection Supervisor had stated that data portability could "let individuals benefit from the value created by the use of their personal data".[3] The French national data supervisor CNIL is hosting a discussion. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.[4]

Switzerland

Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an EFTA Member State,[5] there is a trend moving in the same direction. A cooperative is proposing to have a right to data portability anchored in the constitution of the Swiss Confederation, and the proposal is being seriously considered in the parliament.[6] The cooperative is called MIDATA.coop; besides proposing legislation, it will offer users a place to store their data.[7]

Requirements for effective data interoperability

It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability:

Rights of data subjects under the European Union's new GDPR

The list of these rights has grown; they are conveniently summarized in a handbook from a legal firm. [8] Here there is room only for a few rights related to data portability such as those of access and to explanation.

Comparison to the right of access in the EU GDPR

The data portability right is slightly different from the right of access; see the seventh item in the list cited in Footnote No.8. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with the Recitals. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought.

In addition, the GDPR limits the scope of data portability to cases were the processing is made on the basis of either consent of the data subject, or the performance of a contract.

Comparison to the right of explanation

The data portability right is related to the "right to explanation", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a decision tree. The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.[9] This includes decisions based on profiling. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in Wired emphasised the poignancy of the discussion. [10] The issue has been discussed by Bygrave,[11] and by Hildebrandt,[12] who claims this to be one of the most important transparency rights in the era of machine learning and big data. In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale; [13] the relevant passages were reviewed by the Electronic Privacy Information Center EPIC . [14]

Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation. [15] Pasquale does not think the approach goes far enough, as he has stated in a blog entry. [16]

Another 2016 paper, this one published by Katarinou et al. , includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human." [17]

A third 2016 paper, Mittelstadt et al., maps the literature and relates it to the GDPR on pages 13-14.[18]

On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. On November 7th 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by Dana Boyd. [19] Only 11 days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.[20]

References

  1. The right to data portability is now enshrined as such in Article 20 "Official Journal of the European Union, 156 page PDF". European Commission. May 4, 2016.
  2. "The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4". Bloomberg BNA. February 12, 2016.
  3. "European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13" (PDF). EDPS. November 19, 2015.
  4. "Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ?". CNIL. June 15, 2016.
  5. European Free Trade Association#EFTA and the European Union
  6. "Recht auf Nutzung der persönlichen Daten. Recht auf Kopie" (Right to the Use of Personal Data. Right to [obtain] a [digital] Copy), http://www.parlament.ch/de/ratsbetrieb/suche-curia-vista/geschaeft?AffairId=20154045
  7. "Das Recht auf Kopie – a Swiss-national and international movement towards digital self determination where citizens control any secondary use of their personal data". Retrieved April 15, 2016.
  8. Gabel, Detlev; Hickman, Tim (2016). "Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law". White & Case LLP.
  9. Gabel, Detlev; Hickman, Tim (July 22, 2016). "Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation". White & Case.
  10. Metz, Cade (July 11, 2016). "Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe". Wired.
  11. Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf
  12. Mireille Hildebrandt (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at https://works.bepress.com/mireille_hildebrandt/40/
  13. Pasquale, Frank (2015). The Black Box Society. Harvard University Press.
  14. Rotenberg, Marc (December 19, 2014). Electronic Privacy Information Center EPIC, ed. "[8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24,". EPIC.
  15. Goodman, Bryce; Flaxman, Seth (August 31, 2016). "European Union regulations on algorithmic decision-making and a "right to explanation"". arXiv.
  16. Pasquale, Frank (February 5, 2016). "Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry)".
  17. Kamarinou, Dimitra; Millard, Christopher; Singh, Jatinder (November 7, 2016). "Machine Learning with Personal Data . Queen Mary School of Law Legal Studies Research Paper No. 247/2016".
  18. Mittelstadt, Brent D.; Allo, Patrick; Taddeo, Mariarosaria; Wachter, Sandra; Floridi, Luciano (November 1, 2016). "The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2.". Sage.
  19. Boyd, danah (November 7, 2016). "Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy". datasociety.net.
  20. "Principles for Accountable Algorithms and a Social Impact Statement for Algorithms". NYU. November 18, 2016.
This article is issued from Wikipedia - version of the 12/3/2016. The text is available under the Creative Commons Attribution/Share Alike but additional terms may apply for the media files.