Chao Wu

DOI: https://doi.org/10.1016/j.techsoc.2024.102457

IF: 6.879

2024-01-01

Technology in Society

Abstract:In recent years, data privacy has attracted increasing public concerns, especially with public scandals from top Internet companies, emerging over inappropriate data collection, lack of transparency in data usage, and manipulation of users' preferences. This has led to responsive efforts from multiple sectors of society to constrain the violation of individuals’ data privacy. Among these efforts, the regulations like GDPR are the most influential, which are believed to be able to change the foundation of the whole data ecosystem. The main concern of current regulation is data transparency, designed to enable individuals to make rational decisions about their data. However, I argue that transparency cannot mitigate a key issue of data privacy, which is the right of receiving benefits from data. This issue is getting severe with the rapid development of the data economy and will become the essential problem of social welfare and fairness in the AI era. I further point out that the key to solving this issue is to migrate the current centralized data utilization paradigm to a new decentralized paradigm. Based on the recent technical advancements, I propose an applicable pathway to implement such a paradigm. And to realize a fair and sustainable data eco-system, joint efforts should be made within this paradigm.

Alex Bowyer,Jack Holt,Josephine Go Jefferies,Rob Wilson,David Kirk,Jan David Smeddinck

DOI: https://doi.org/10.1145/3491102.3501947

2022-03-10

Abstract:In our data-centric world, most services rely on collecting and using personal data. The EU's General Data Protection Regulation (GDPR) aims to enhance individuals' control over their data, but its practical impact is not well understood. We present a 10-participant study, where each participant filed 4-5 data access requests. Through interviews accompanying these requests and discussions scrutinising returned data, it appears that GDPR falls short of its goals due to non-compliance and low-quality responses. Participants found their hopes to understand providers' data practices or harness their own data unmet. This causes increased distrust without any subjective improvement in power, although more transparent providers do earn greater trust. We propose designing more effective, data-inclusive and open policies and data access systems to improve both customer relations and individual agency, and also that wider public use of GDPR rights could help with delivering accountability and motivating providers to improve data practices.

Human-Computer Interaction

Mauritz Kop

DOI: https://doi.org/10.2139/ssrn.3653537

2020-01-01

SSRN Electronic Journal

Abstract:Europe is now at a crucial juncture in deciding how to deploy data driven technologies in ways that encourage democracy, prosperity and the well-being of European citizens. Normative preferences about how related technology laws ought to be designed should define sustainable exponential innovation policy. These preferences are dynamic and contextual. The upcoming European Data Act provides a major window of opportunity to change the story. In this respect, it is key that the European Commission takes firm action, removes overbearing policy and regulatory obstacles, strenuously harmonizes relevant legislation and provides concrete incentives and mechanisms for access, sharing and re-use of data. The article argues that to ensure an efficiently functioning European data-driven economy, a new and as yet unused term must be introduced to the field of AI & law: the right to process data for machine learning purposes. To make AI and machine learning thrive, we should critically re-examine the applicability and scope of intellectual property rights to data, including copyrights, sui generis database rights and trade secrets. The article demonstrates that exclusive de facto possession or control over machine learning input training, testing and validation datasets hinders healthy competition, a fair level playing field and rapid European innovation. The article rejects exclusive legal ownership rights over autonomously machine generated non-personal data, including AI made creations and inventions: this output belongs to the public domain. Machines do not need incentives, people need freedom of expression and businesses need freedom to operate. Synchronous to harmonized legislation, the social impact of digital transformation can be balanced and regulated by the architecture of digital systems. Embedding values in design should become a fundamental starting point of our data paradigm. Data has become a primary resource that should not be enclosed or commodified per se, but used for the common good. Commons based production and data for social good initiatives should be stimulated by the state. We need not to think in terms of exclusive, private property on data, but in terms of rights and freedoms to use, (modalities of) access, process and share data. If necessary and desirable for the progress of society, the state can implement new forms of property. Against this background the article explores normative justifications for open innovation, drawing inspiration from the works of canonical thinkers such as Locke, Marx, Kant and Hegel.Whether or not data as digital assets are ultimately admitted to the numerus clausus of legal objects i.e. acknowledged as subject matter eligible for private ownership, or whether other modalities and states of property are being developed, the article maintains that there should also be exceptions to (de facto, economic or legal) ownership claims on data that provide user rights and freedom to operate in the setting of AI model training.The article concludes that this exception is conceivable as a legal concept analogous to a quasi, imperfect usufruct in the form of a right to process data for machine learning purposes. A combination of usus and fructus (ius utendi et fruendi), not for land but for primary resource data. A right to process data that works within the context of AI and the Internet of Things (IoT), and that fits in the EU acquis communautaire. Such a right makes access, sharing and re-use of data possible, and helps to fulfil the European Strategy for Data’s desiderata.

Serge Abiteboul,Julia Stoyanovich

DOI: https://doi.org/10.48550/arXiv.1903.03683

2019-03-09

Abstract:The data revolution continues to transform every sector of science, industry and government. Due to the incredible impact of data-driven technology on society, we are becoming increasingly aware of the imperative to use data and algorithms responsibly -- in accordance with laws and ethical norms. In this article we discuss three recent regulatory frameworks: the European Union's General Data Protection Regulation (GDPR), the New York City Automated Decisions Systems (ADS) Law, and the Net Neutrality principle, that aim to protect the rights of individuals who are impacted by data collection and analysis. These frameworks are prominent examples of a global trend: Governments are starting to recognize the need to regulate data-driven algorithmic technology. Our goal in this paper is to bring these regulatory frameworks to the attention of the data management community, and to underscore the technical challenges they raise and which we, as a community, are well-equipped to address. The main take-away of this article is that legal and ethical norms cannot be incorporated into data-driven systems as an afterthought. Rather, we must think in terms of responsibility by design, viewing it as a systems requirement.

Databases,Computers and Society

Daniela Pöhn,Niklas Mörsdorf,Wolfgang Hommel

DOI: https://doi.org/10.48550/arXiv.2308.15166

2023-08-29

Cryptography and Security

Abstract:The General Data Protection Regulation (GDPR) was implemented in 2018 to strengthen and harmonize the data protection of individuals within the European Union. One key aspect is Article 15, which gives individuals the right to access their personal data in an understandable format. Organizations offering services to Europeans had five years' time to optimize their processes and functions to comply with Article 15. This study aims to explore the process of submitting and receiving the responses of organizations to GDPR Article 15 requests. A quantitative analysis obtains data from various websites to understand the level of conformity, the data received, and the challenges faced by individuals who request their data. The study differentiates organizations operating worldwide and in Germany, browser website- and app-based usage, and different types of websites. Thereby, we conclude that some websites still compile the data manually, resulting in longer waiting times. A few exceptions did not respond with any data or deliver machine-readable data (GDRP Article 20). The findings of the study additionally reveal ten patterns individuals face when requesting and accessing their data.

Sanchit Alekh

DOI: https://doi.org/10.48550/arXiv.1806.03253

2018-06-01

Computers and Society

Abstract:The GDPR, or the Datenschutz Grundverordnung (DSGVO) in German, is an EU Law which addresses the subject of safeguarding privacy of personal data of the citizens of the EU and EEA. It also specifies how data the collected data might be transported out of the EU/EEA. It is the first genuine effort to unify the plethora of disparate privacy regulations put forward by different regulatory bodies. The GDPR aims to not only give more control over their personal data to the citizens, but also make conformance for businesses easier by defining unified guidelines. It also presses businesses, especially those dealing with sensitive personal data, to build their information systems in a way that confirms with Privacy by Design. These regulations aim to ensure a more transparent handling and processing of personal data, and create an environment of trust and awareness on both sides, i.e., the data owner as well as the controllers/processors.

Yujin Kwon,Ella Corren,Gonzalo Munilla Garrido,Chris Hoofnagle,Dawn Song

2023-12-04

Abstract:As information economies burgeon, they unlock innovation and economic wealth while posing novel threats to civil liberties and altering power dynamics between individuals, companies, and governments. Legislatures have reacted with privacy laws designed to empower individuals over their data. These laws typically create rights for "data subjects" (individuals) to make requests of data collectors (companies and governments). The European Union General Data Protection Regulation (GDPR) exemplifies this, granting extensive data rights to data subjects, a model embraced globally. However, the question remains: do these rights-based privacy laws effectively empower individuals over their data? This paper scrutinizes these approaches by reviewing 201 interdisciplinary empirical studies, news articles, and blog posts. We pinpoint 15 key questions concerning the efficacy of rights allocations. The literature often presents conflicting results regarding the effectiveness of rights-based frameworks, but it generally emphasizes their limitations. We offer recommendations to policymakers and Computer Science (CS) groups committed to these frameworks, and suggest alternative privacy regulation approaches.

Computers and Society,Databases

Chris Jay Hoofnagle,Bart van der Sloot,Frederik Zuiderveen Borgesius

DOI: https://doi.org/10.1080/13600834.2019.1573501

2019-01-02

Abstract:This paper introduces the strategic approach to regulating personal data and the normative foundations of the European Union’s General Data Protection Regulation (‘GDPR’). We explain the genesis of the GDPR, which is best understood as an extension and refinement of existing requirements imposed by the 1995 Data Protection Directive; describe the GDPR’s approach and provisions; and make predictions about the GDPR’s implications. We also highlight where the GDPR takes a different approach than U.S. privacy law. The GDPR is the most consequential regulatory development in information policy in a generation. The GDPR brings personal data into a detailed regulatory regime, that will influence personal data usage worldwide. Understood properly, the GDPR encourages firms to develop information governance frameworks, to in-house data use, and to keep humans in the loop in decision making. Companies with direct relationships with consumers have strategic advantages under the GDPR, compared to third party advertising firms on the internet. To reach these objectives, the GDPR uses big sticks, structural elements that make proving violations easier, but only a few carrots. The GDPR will complicate and restrain some information-intensive business models. But the GDPR will also enable approaches previously impossible under less-protective approaches.

Julia Stoyanovich,Bill Howe,H. V. Jagadish

DOI: https://doi.org/10.14778/3415478.3415570

IF: 2.5

2020-08-01

Proceedings of the VLDB Endowment

Abstract:The need for responsible data management intensifies with the growing impact of data on society. One central locus of the societal impact of data are Automated Decision Systems (ADS), socio-legal-technical systems that are used broadly in industry, non-profits, and government. ADS process data about people, help make decisions that are consequential to people's lives, are designed with the stated goals of improving efficiency and promoting equitable access to opportunity, involve a combination of human and automated decision making, and are subject to auditing for legal compliance and to public disclosure. They may or may not use AI, and may or may not operate with a high degree of autonomy, but they rely heavily on data. In this article, we argue that the data management community is uniquely positioned to lead the responsible design, development, use, and oversight of ADS. We outline a technical research agenda that requires that we step outside our comfort zone of engineering for efficiency and accuracy, to also incorporate reasoning about values and beliefs. This seems high-risk, but one of the upsides is being able to explain to our children what we do and why it matters.

computer science, information systems, theory & methods

James Pavur,Casey Knerr

DOI: https://doi.org/10.48550/arXiv.1912.00731

2019-12-02

Abstract:The General Data Protection Regulation (GDPR) has become a touchstone model for modern privacy law, in part because it empowers consumers with unprecedented control over the use of their personal information. However, this same power may be susceptible to abuse by malicious attackers. In this paper, we consider how legal ambiguity surrounding the "Right of Access" process may be abused by social engineers. This hypothesis is tested through an adversarial case study of more than 150 businesses. We find that many organizations fail to employ adequate safeguards against Right of Access abuse and thus risk exposing sensitive information to unauthorized third parties. This information varied in sensitivity from simple public records to Social Security Numbers and account passwords. These findings suggest a critical need to improve the implementation of the subject access request process. To this end, we propose possible remediations which may be appropriate for further consideration by government, industry and individuals.

Cryptography and Security,Computers and Society

Piero A. Bonatti,Sabrina Kirrane,Iliana M. Petrova,Luigi Sauro

DOI: https://doi.org/10.1007/s13218-020-00677-4

2020-07-08

Abstract:The European General Data Protection Regulation (GDPR) calls for technical and organizational measures to support its implementation. Towards this end, the SPECIAL H2020 project aims to provide a set of tools that can be used by data controllers and processors to automatically check if personal data processing and sharing complies with the obligations set forth in the GDPR. The primary contributions of the project include: (i) a policy language that can be used to express consent, business policies, and regulatory obligations; and (ii) two different approaches to automated compliance checking that can be used to demonstrate that data processing performed by data controllers/processors complies with consent provided by data subjects, and business processes comply with regulatory obligations set forth in the GDPR.

Supreeth Shastri,Melissa Wasserman,Vijay Chidambaram

DOI: https://doi.org/10.48550/arXiv.1903.09305

2019-05-15

Abstract:In recent years, our society is being plagued by unprecedented levels of privacy and security breaches. To rein in this trend, the European Union, in 2018, introduced a comprehensive legislation called the General Data Protection Regulation (GDPR). In this paper, we review GDPR from a system design perspective, and identify how its regulations conflict with the design, architecture, and operation of modern systems. We illustrate these conflicts via the seven GDPR sins: storing data forever; reusing data indiscriminately; walled gardens and black markets; risk-agnostic data processing; hiding data breaches; making unexplainable decisions; treating security as a secondary goal. Our findings reveal a deep-rooted tussle between GDPR requirements and how modern systems have evolved. We believe that achieving compliance requires comprehensive, grounds up solutions, and anything short would amount to fixing a leaky faucet in a sinking ship.

Computers and Society,Cryptography and Security

Paulius Jurcys,Marcelo Corrales Compagnucci,Mark Fenwick

2024-07-30

Abstract:The General Data Protection Regulation contains a blanket prohibition on the transfer of personal data outside of the European Economic Area unless strict requirements are met. The rationale for this provision is to protect personal data and data subject rights by restricting data transfers to countries that may not have the same level of protection as the EEA. However, the ubiquitous and permeable character of new technologies such as cloud computing, and the increased inter connectivity between societies, has made international data transfers the norm and not the exception. The Schrems II case and subsequent regulatory developments have further raised the bar for companies to comply with complex and, often, opaque rules. Many firms are, therefore, pursuing technology-based solutions in order to mitigate this new legal risk. These emerging technological alternatives reduce the need for open-ended cross-border transfers and the practical challenges and legal risk that such transfers create after Schrems. This article examines one such alternative, namely a user-held data model. This approach takes advantage of personal data clouds that allows data subjects to store their data locally and in a more decentralised manner, thus decreasing the need for cross-border transfers and offering end-users the possibility of greater control over their data.

Computers and Society

Harshvardhan J. Pandit,Jan Lindquist,Georg P. Krog

2024-05-01

Abstract:The ISO/IEC TS 27560:2023 Privacy technologies - Consent record information structure provides guidance for the creation and maintenance of records regarding consent as machine-readable information. It also provides guidance on the use of this information to exchange such records between entities in the form of 'receipts'. In this article, we compare requirements regarding consent between ISO/IEC TS 27560:2023, ISO/IEC 29184:2020 Privacy Notices, and the EU's General Data Protection Regulation (GDPR) to show how these standards can be used to support GDPR compliance. We then use the Data Privacy Vocabulary (DPV) to implement ISO/IEC TS 27560:2023 and create interoperable consent records and receipts. We also discuss how this work benefits the the implementation of EU Data Governance Act (DGA), specifically for machine-readable consent forms.

Cryptography and Security

Sean Sirur,Jason R. C. Nurse,Helena Webb,Jason R.C. Nurse

DOI: https://doi.org/10.48550/arXiv.1808.07338

2018-08-22

Computers and Society

Abstract:The EU General Data Protection Regulation (GDPR), enforced from 25th May 2018, aims to reform how organisations view and control the personal data of private EU citizens. The scope of GDPR is somewhat unprecedented: it regulates every aspect of personal data handling, includes hefty potential penalties for non-compliance, and can prosecute any company in the world that processes EU citizens' data. In this paper, we look behind the scenes to investigate the real challenges faced by organisations in engaging with the GDPR. This considers issues in working with the regulation, the implementation process, and how compliance is verified. Our research approach relies on literature but, more importantly, draws on detailed interviews with several organisations. Key findings include the fact that large organisations generally found GDPR compliance to be reasonable and doable. The same was found for small-to-medium organisations (SMEs/SMBs) that were highly security-oriented. SMEs with less focus on data protection struggled to make what they felt was a satisfactory attempt at compliance. The main issues faced in their compliance attempts emerged from: the sheer breadth of the regulation; questions around how to enact the qualitative recommendations of the regulation; and the need to map out the entirety of their complex data networks.

Alexander Bernier,Fruzsina Molnár-Gábor,Bartha M Knoppers,Pascal Borry,Priscilla M D G Cesar,Thijs Devriendt,Melanie Goisauf,Madeleine Murtagh,Pilar Nicolás Jiménez,Mikel Recuero,Emmanuelle Rial-Sebbag,Mahsa Shabani,Rebecca C Wilson,Davide Zaccagnini,Lauren Maxwell

DOI: https://doi.org/10.1038/s41431-023-01403-y

Abstract:The coming-into-force of the EU General Data Protection Regulation (GDPR) is a watershed moment in the legal recognition of enforceable rights to informational self-determination. The rapid evolution of legal requirements applicable to data use, however, has the potential to outstrip the capabilities of networks of biomedical data users to respond to the shifting norms. It can also delegitimate established institutional bodies that are responsible for assessing and authorising the downstream use of data, including research ethics committees and institutional data custodians. These burdens are especially pronounced for clinical and research networks that are of transnational scale, because the legal compliance burden for outbound international data transfers from the EEA is especially high. Legislatures, courts, and regulators in the EU should therefore implement the following three legal changes. First, the responsibilities of particular actors in a data sharing network should be delimited through the contractual allocation of responsibilities between collaborators. Second, the use of data through secure data processing environments should not trigger the international transfer provisions of the GDPR. Third, the use of federated data analysis methodologies that do not provide analysis nodes or downstream users access to identifiable personal data as part of the outputs of those analyses should not be considered circumstances of joint controllership, nor lead to the users of non-identifiable data to be considered controllers or processors. These small clarifications of, or modifications to, the GDPR would facilitate the exchange of biomedical data amongst clinicians and researchers.

Sabrina Kirrane,Javier D. Fernández,Piero Bonatti,Uros Milosevic,Axel Polleres,Rigo Wenning

DOI: https://doi.org/10.48550/arXiv.2001.09461

2020-01-26

Cryptography and Security

Abstract:The European General Data Protection Regulation (GDPR) brings new challenges for companies who must ensure they have an appropriate legal basis for processing personal data and must provide transparency with respect to personal data processing and sharing within and between organisations. Additionally, when it comes to consent as a legal basis, companies need to ensure that they comply with usage constraints specified by data subjects. This paper presents the policy language and supporting ontologies and vocabularies, developed within the SPECIAL EU H2020 project, which can be used to represent data usage policies and data processing and sharing events. We introduce a concrete transparency and compliance architecture, referred to as SPECIAL-K, that can be used to automatically verify that data processing and sharing complies with the data subjects consent. Our evaluation, based on a new compliance benchmark, shows the efficiency and scalability of the system with increasing number of events and users.

Damiano Torre,Mauricio Alferez,Ghanem Soltana,Mehrdad Sabetzadeh,Lionel Briand

DOI: https://doi.org/10.48550/arXiv.2007.12046

2020-07-23

Abstract:In Europe and indeed worldwide, the General Data Protection Regulation (GDPR) provides protection to individuals regarding their personal data in the face of new technological developments. GDPR is widely viewed as the benchmark for data protection and privacy regulations that harmonizes data privacy laws across Europe. Although the GDPR is highly beneficial to individuals, it presents significant challenges for organizations monitoring or storing personal information. Since there is currently no automated solution with broad industrial applicability, organizations have no choice but to carry out expensive manual audits to ensure GDPR compliance. In this paper, we present a complete GDPR UML model as a first step towards designing automated methods for checking GDPR compliance. Given that the practical application of the GDPR is influenced by national laws of the EU Member States, we suggest a two-tiered description of the GDPR, generic and specialized. In this paper, we provide (1) the GDPR conceptual model we developed with complete traceability from its classes to the GDPR, (2) a glossary to help understand the model, (3) the plain-English description of 35 compliance rules derived from GDPR along with their encoding in OCL, and (4) the set of 20 variations points derived from GDPR to specialize the generic model. We further present the challenges we faced in our modeling endeavor, the lessons we learned from it, and future directions for research.

Software Engineering

Dražen Oreščanin,Tomislav Hlupić,Boris Vrdoljak

DOI: https://doi.org/10.1109/access.2024.3365042

IF: 3.9

2024-03-06

IEEE Access

Abstract:Privacy is a fundamental human right according to the Universal Declaration of Human Rights of the United Nations. Adoption of the General Data Protection Regulation (GDPR) in European Union in 2018 was turning point in management of personal data, specifically personal identifiable information (PII). Although there were many previous privacy laws in existence before, GDPR has brought privacy topic in the regulatory spotlight. Two most important novelties are seven basic principles related to processing of personal data and huge fines defined for violation of the regulation. Many other countries have followed the EU with the adoption of similar legislation. Personal data management processes in companies, especially in analytical systems and Data Lakes, must comply with the regulatory requirements. In Data Lakes, there are no standard architectures or solutions for the need to discover personal identifiable information, match data about the same person from different sources, or remove expired personal data. It is necessary to upgrade the existing Data Lake architectures and metadata models to support these functionalities. The goal is to study the current Data Lake architecture and metadata models and to propose enhancements to improve the collection, discovery, storage, processing, and removal of personal identifiable information. In this paper, a new metadata model that supports the handling of personal identifiable information in a Data Lake is proposed.

computer science, information systems,telecommunications,engineering, electrical & electronic

Lachlan Urquhart,Neelima Sailaja,Derek McAuley

DOI: https://doi.org/10.1007/s00779-017-1069-2

2018-01-23

Abstract:There is an increasing role for the IT design community to play in regulation of emerging IT. Article 25 of the EU General Data Protection Regulation (GDPR) 2016 puts this on a strict legal basis by establishing the need for information privacy by design and default (PbD) for personal data-driven technologies. Against this backdrop, we examine legal, commercial and technical perspectives around the newly created legal right to data portability (RTDP) in GDPR. We are motivated by a pressing need to address regulatory challenges stemming from the Internet of Things (IoT). We need to find channels to support the protection of these new legal rights for users in practice. In Part I we introduce the internet of things and information PbD in more detail. We briefly consider regulatory challenges posed by the IoT and the nature and practical challenges surrounding the regulatory response of information privacy by design. In Part II, we look in depth at the legal nature of the RTDP, determining what it requires from IT designers in practice but also limitations on the right and how it relates to IoT. In Part III we focus on technical approaches that can support the realisation of the right. We consider the state of the art in data management architectures, tools and platforms that can provide portability, increased transparency and user control over the data flows. In Part IV, we bring our perspectives together to reflect on the technical, legal and business barriers and opportunities that will shape the implementation of the RTDP in practice, and how the relationships may shape emerging IoT innovation and business models. We finish with brief conclusions about the future for the RTDP and PbD in the IoT.

Human-Computer Interaction,Computers and Society,Distributed, Parallel, and Cluster Computing