Monetary Authority of Singapore’s FEAT Principles
                Internal Accountability
                7. Use of AIDA in AIDA-driven decision-making is approved by an appropriate internal authority.
                8. Firms using AIDA are accountable for both internally developed and externally sourced AIDA models.
                9. Firms using AIDA proactively raise management and Board awareness of their use of AIDA.
                External Accountability
                10. Data subjects are provided with channels to enquire about, submit appeals for and request reviews
                of AIDA-driven decisions that affect them.


            mation has been shared.  The EU’s GDPR confers     the data are no longer necessary in relation to the
                                   163
            rights on individuals to be informed if personal data   purposes for which they were collected or processed
            about them is being processed, to receive a free copy   and, if the processing is based on consent, where the
            of that data,  to have inaccuracies corrected, and to   individual withdraws that  consent and there is no
                       164
            complete personal data that is incomplete. 165     other legal ground for the processing.  The right to
                                                                                                170
               Such rights are also widely recognized in interna-  be forgotten was famously exercised in Spain against
            tional law.  The OECD Privacy Handbook says, “[t]  Google.  California’s new law also requires business-
                                                                     171
                     166
            he right of individuals to access and challenge per-  es to comply with a consumer’s request to delete
            sonal data is generally regarded as perhaps the most   personal information unless the information is neces-
            important privacy protection safeguard.”           sary for the business to perform certain functions. 172
               In  some  jurisdictions,  the  individual  may  have   Whether inferences drawn through machine
            the right to access not merely provided data and   learning may be the subject of a right of access, rec-
            observed data, but also inferred data and derived   tification or erasure has not as yet been established,
            data (see section 4.5). These may include profiles   and in many countries is not certain. It is likely that
            that the data controller has developed, and informa-  most countries’ data protection laws will be applied
            tion about the purpose of the data processing, the   to give greater weight to the interest of a business
            categories of data held and their source. 167      in retaining and using data it has produced through
               Rectification may be simple for a consumer where   machine learning processing, than the privacy inter-
            the data is verifiable, such as their date of birth,   ests of consumers, just as its trade secrets and intel-
            address, salary level or marital status. However, in the   lectual property will be attributed value compared
            case of big data and machine learning, data about   with the consumer’s potentially nebulous interests.
                                                                                                           173
            the individual may comprise inferences rather than   Of course, data may already have been shared with
            the plain facts of their life.                     third parties before the consumer requests its era-
               Some  inferences,  such  as  a  person’s  predicted   sure, further weakening this remedy.
            levels of income, expenses or illnesses over time, or   In a big data era, the proliferation of personal data
            age of death, may be important to automated (or    about individuals poses important challenges to indi-
            human) decisions about an individual, such as for   viduals’ ability to exercise these rights.
            example eligibility for, or price of, financial services.
            Some suggest that individuals’ rights to rectify data   5�2  Providing consumers with transparency and
            ought not to be restricted to verifiable personal data   explanations
            because the verifiability of an inference may not
            determine its effect on the individual concerned, and   Explaining automated decisions
            because the individual may be able to provide infor-  Accountability  for  decisions  typically  begins  with
            mation that supplements the inference (e.g., updated   or at least requires an explanation for the basis and
            health information). 168                           method of the decision.
                                                                                    174
               An increasing number of data protection laws      Some advocate establishing (as some jurisdic-
            provide individuals with the right of erasure (also   tions such as the EU have done) a consumer right to
            referred to as the right to be forgotten) of personal   an explanation where a solely automated decision,
            data about them where the data are no longer neces-  such as a declined loan application or reduction in
            sary for the purposes for which they were collected   a credit limit, has legal or other significant effects.
                                                                                                          175
            or processed.  Under the GDPR, individuals have the
                        169
            right to erasure of personal data about them where


           34    Big data, machine learning, consumer protection and privacy