44   https:// www .apexanalytix .com/ .
            45   https:// www .kount .com/ .
            46   Daniel Faggella, Machine Learning in Finance – Present and Future Applications, 18 September 2018, https:// www
                .techemergence .com/ machine -learning -in -finance/ .
            47   Article 227 bis 1 of the Securities Market Law, Investment Advisors Chapter.
            48   See for example Cass Sunstein, Christine Jolls and Richard Thaler, A Behavioural Approach to Law and Economics
                Stanford Law Review 50 (1998); and Cass Sunstein and Richard Thaler, Nudge (2008) Yale University Press.
            49   For instance, section 5 of the US Federal Trade Commission Act prohibits “unfair or deceptive acts or practices in or
                affecting commerce,” which has been one of the foundations of digital privacy enforcement in the USA.
            50   Kate Crawford et al., The AI Now Report: The Social and Economic Implications of Artificial Intelligence Technologies
                in the Near Term 6-8 (2016), https:// artificialintelligencenow .com/ media/ documents/ AINowSummaryReport _3
                _RpmwKHu .pdf.
            51   Paul Schwartz, Data Processing and Government Administration: The Failure of the American Legal Response to the
                Computer, 43 HASTINGS L.J. 1321, 1342 (1992).
            52   Lee A Bygrave, Data Protection Law: Approaching Its Rationale, Logic and Limits (Kluwer Law Intl 2002) 128–129.
            53   The GDPR defines “personal data” in Article 4(1) as “any information relating to an identified or identifiable natural
                person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular
                by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or
                more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural
                person.”
            54   The EU’s Article 29 Working Party distinguished between these three categories in Article 29 Data Protection Working
                Party, ‘Guidelines on Automated Individual Decision Making and Profiling for the Purposes of Regulation 2016/679’
                (n19) 8, available at http:// ec .europa .eu/ newsroom/ article29/ item -detail .cfm ?item _id = 612053.
            55   Sandra Wachter & Brent Mittelstadt, A Right to Reasonable Inferences: Re-Thinking Data Protection Law in the Age of
                Big Data and AI, (2019) Colum. Bus. L. Rev.  https:// papers .ssrn .com/ sol3/ papers .cfm ?abstract _id = 3248829 (Wachter &
                Mittelstadt).
            56   Ibid.
            57   GDPR, Articles 13-15.
            58   GDPR, Article 16.
            59   GDPR, Article 17.
            60   GDPR, Article 20.
            61   GDPR, Article 21.
            62   UNCTAD, Global cyberlaw tracker, as of 217 September 2018. Another measure put the number at 120 in 2017. See
                Greenleaf, Graham, Global Data Privacy Laws 2017: 120 National Data Privacy Laws, Including Indonesia and Turkey
                (January 30, 2017). (2017) 145 Privacy Laws & Business International Report, 10-13; UNSW Law Research Paper No. 17-
                45. In Africa alone, 22 countries already have privacy and data protection laws: Angola (2016), Benin (2009), Botswana
                (2018), Burkina Faso (2004), Chad (2015), Cape Verde (2001), Côte d’Ivoire (2013), Equatorial Guinea (2016), Gabon
                (2011), Ghana (2012), Lesotho (2012), Madagascar (2014), Mali (2013), Mauritius (2017), Mauritania (2017), Morocco
                (2009), Senegal (2008), Seychelles (2002), South Africa (2013), Tunisia (2004), Zambia, and Zimbabwe (2003).
                Algeria, Democratic Republic of the Congo, Ethiopia, Kenya, Malawi, Mauritania, Niger, Nigeria, Rwanda, Sierra Leone,
                Swaziland, Tanzania and Uganda, have prepared and are considering draft legislation. See CIPESA, State of Internet
                Freedom in Africa 2018: Privacy and Data Protection in the Digital Era - Challenges and Trends in Africa, September
                2018 at 7.
            63   Paragraphs 1 and 12 of Article 16 of the Mexican Constitution.
            64   Paragraph 2 of Article 16 of the Mexican Constitution.
            65   K.S. Puttaswamy & Anr. v. Union of India & Ors. (2017) 10 SCC 1.
            66   In 1974, the US Congress stated in the federal Privacy Act that “the right to privacy is a personal and fundamental right
                protected by the Constitution of the United States.”
            67   In December 2009, when the Lisbon Treaty took force, the EU’s Charter of Fundamental Rights guaranteed privacy and
                data protection as among 50 other fundamental rights.





                                                             Big data, machine learning, consumer protection and privacy  49