Page 23 - FIGI - Big data, machine learning, consumer protection and privacy
P. 23
lers to provide clear and accessible explanations in not directly relate to the original purpose of data
privacy policies as to how and for what purpose their mining. As a result, the purpose for which the data
data will be used and shared. may end up being used may not be known at the
84
When it comes to decisions made as a result of big time the data is being collected, or when consent is
data and machine learning, one approach is simply obtained. Only vague purposes may be identifiable
to outlaw them where they pose unacceptable risk. at that time, which indeed accounts for the generally
This has been recommended, for instance, for the vague nature of privacy policies and data collection
use of lethal weapons. With very limited exceptions, notifications.
automated cars are not yet allowed on the streets,
although laws are being developed to enable these. Data minimisation in the context of big data
However, recognising that many automated pro- In addition, as machine learning techniques are more
cesses can bring benefits to consumers, these are effective in detecting patterns in larger datasets over
often permitted so long as consumers are notified of time, the very nature of big data is to collect the
the automated decision-making and have an oppor- maximum possible amount of data – and to retain it
tunity to opt out. For instance, the GDPR requires for as long as possible.
notice of “the existence of automated decision-mak- Thus, the very notion of data minimisation (to col-
ing, including profiling, […] and, at least in those cas- lect as little data as possible and hold it for as short a
es, meaningful information about the logic involved, time as possible according to the purpose for which
as well as the significance and the envisaged conse- it was collected) runs counter to the modus operandi
quences of such processing for the data subject.” of the industry. It undermines the prospects for genu-
85
It also provides in Article 22(1) that individuals “shall inely informative notification to users of the purpose
have the right not to be subject to a decision based of collection. Disclosures, monitoring and compli-
solely on automated processing, including profiling, ance may also be difficult and expensive. Describing
which produces legal effects concerning him or her the purpose as very broad in order to avoid such lim-
or similarly significantly affects him or her.” its may well not be legally acceptable. A 2014 report
86
This opt-out right may be helpful, but it only goes to the US President suggested that “The notice and
so far. Automated decisions are permitted under the consent is defeated by exactly the positive benefits
GDPR where necessary to enter into a contract with that big data enables: new, non-obvious, unexpect-
the individual, or with their consent. Where new edly powerful uses of data.” 88
87
services rely on profiling to establish eligibility, and
are expected to be made rapidly, often remotely and Limits of consumer responsibility
electronically, automated decisions may be neces- Furthermore, despite efforts to make notifications
sary to enter into the contract. And where an individ- simple and understandable, such documents are not
ual’s need or desire for a product or service exceeds frequently read and understood by the consumer.
89
their personal intolerance for being the subject of This undermines the notice and consent approach,
automated processing, a binary choice is presented further rendering it not only ineffective but mislead-
and the individual may have no meaningful option ing, often displacing onto the consumer a burden that
but to consent. they are unable to bear, and creating a perception of
legitimacy which is not justified. Privacy policies and
3�2 The challenge in the context of big data consent may “check the box” as part of a compli-
Big data and machine learning pose challenges to ance-oriented approach, but they do little substan-
the notice and consent approach to data protection tively to enable consumers to understand how their
and privacy law and regulation. data may be used and shared with third parties, let
alone the implications of such use and sharing. 90
Purpose specification in the context of machine Some have suggested simplifying notices because
learning artificial intelligence and machine learning design
Complying with notice requirements involves provid- specifications are currently incapable of providing
ing to individuals a detailed specification of the satisfactory accountability and verifiability, making
purpose of collecting their personal data, and close- them more impactful – like “skull and crossbones
ly monitoring operations to avoid exceeding such found on household cleaning supplies that contain
purpose. Machine learning detects patterns and poisonous compounds.” 91
then delves into deeper layers, identifying further In addition to the difficulty of expecting the con-
patterns, and these may reveal use cases which may sumer to bear the burden of responsibility for mat-
Big data, machine learning, consumer protection and privacy 21
