General Data Protection Regulation and Personal Data

Note: Submitted as part of CS7637 Homework

Article 4 of General Data Protection Regulation (GDPR) ¹ defines personal data as “any information relating to an identified or identifiable natural person (‘data subject’).” Article 5 of GDPR defines following principles relating to processing of personal data:

1. lawfulness, fairness and transparency
2. purpose limitation
3. data minimisation
4. accuracy
5. storage limitation
6. integrity and confidentiality
7. accountability

To ensure that any processing of personal data follows the above principles, individuals should be provided with specific, clear and meaningful information about how decisions are made thus forcing the organisations to provide following information to data subject:

1. The existence of automatic data processing, meaningful information about the logic involved (Art.13 & 14)
2. The envisaged consequences of such processing for the data subject. (Art.13 & 14)
3. Specific circumstances and context in which the personal data are processed (Recital 71)
4. “Specific information” and the “right to obtain human intervention” (Preamble 71)
5. Explanation of the decision reached (Preamble 71)
6. The procedure to challenge the decision (Preamble 71) including the contact details of the controller and data protection officer (Art.13 & 14)

GDPR and AI

GDPR provisions make it difficult for companies with dubious Privacy Policies to collect and process data. Hence, any data that needs to be used for any processing - Artifical Intelligence and Machine Learning - need to be collected with the prior knowledge of the individual in line with the above principles at the same time giving the individual the right to opt out of any such process that the individual think might be detrimental to them. Companies who have better Privacy Policies and are transparent in their processing of data have nothing to fear and will benefit greatly by making individual a partner in their work giving the easy path for an individual to share their personal information in case they think it will benefit them.

The impact on the Advertising: Google

The companies like Google Ads who personalize the advertisement experience for users based on the data collected about them might feel the real heat. Google uses personal information to recommend products which might be of interest to the user ensuring the high click-through rate ². Thus providing value to the company whose products are advertised and mapped to the user. The GDPR restricts the ability of Google to collect this data without prior knowledge of the individual and forces them to follow the principles as enshrined in the regulations as stated above.

Having said that, I believe it is possible for Google (and for that matter any other company) to continue serving the customers if they proactively seek input from the individuals (‘data subjects’) concerned and include them in their vision of future. This will help gain their confidence and making them willingly share such data as required for the product. Few of the measures that will help in this process are as follows. These are just suggestive measures and not an exhaustive list :

• Make users aware of how technology is used to process and personalize data; take their input about such use

• Include GDPR principles as part of the Privacy Policy and clearly state it as part of the vision and mission statement

• Proper identification of issues with the current process and plan to resolve them. Also, communication related to that with the ‘data subjects’

• Proper security procedures to prevent any data breaches. In case of data breach procedure to handle such an event and communication related to it should be established before hand, making sure that the proper responsibility and accountability structure is in place.

• Be aware of biases that might creep in the algorithms and process; awareness to mitigate such biases

References and Footnotes