169   GDPR, Article 17. See Kelly & Satola, “The Right to Be Forgotten”, University of Illinois Law Review, Vol. 1, 2017.
                California’s new Consumer Privacy Act requires certain businesses to meet a consumer’s request to delete personal
                information unless the information is necessary for the business to perform certain functions. California Consumer
                Privacy Act of 2018, Cal. Cov. Code, §178.105.
            170    GDPR, Article 17.
            171   Case C-131/12, Google Spain v. Agencia de Protección de Datos (AEPD), 2014 EUR-Lex (May 13, 2014). A Spanish
                national complained to the Spanish Data Protection Agency (AEPD) about Internet stories linking his name with
                attachment proceedings in a real-estate auction related to recovery of social security debts. Mr Costeja González
                requested that the newspaper remove or alter the pages, or that Google Spain or Google Inc remove or conceal the
                personal data in search results. Google objected to the Spanish National High Court, which requested a decision of the
                European Court of Justice (ECJ), which found that Google was a data controller against which the right to be forgotten
                could be exercised, and thus Mr. Costeja had the right to make the request and have it reviewed by the AEPD. See Kelly
                & Satola, The Right to Be Forgotten, University of Illinois Law Review, Vol. 1, 2017.
            172   Ibid, §178.105.
            173   See, e.g., Gianclaudio Malgieri, ‘Trade Secrets v Personal Data: A Possible Solution for Balancing Rights’ (2016) 6
                International Data Privacy Law 102, 115.
            174   Finale Doshi-Velez and others, ‘Accountability of AI Under the Law: The Role of Explanation’ [2017] arXiv preprint
                arXiv: 1711 .01134.

            175   See Ethically Aligned Design, at footnote 224 at p160.
            176   Jenna Burrell, ‘How the Machine “Thinks:” Understanding Opacity in Machine Learning Algorithms’ [2016] Big Data &
                Society.
            177   See Frank Pasquale, The Black Box Society: The Secret Algorithms That Control Money and Information, Harvard
                University Press (2015).
            178   Stanford Univ., Machine Learning, COURSERA, https:// www .coursera .org/ learn/ machine -learning/ home/ info  [https://
                perma .cc/ L7KF -CDY4]
            179   See Accountable Algorithms, at footnote 129.
                Paul Ohm and David Lehr, Playing with the Data: What Legal Scholars Should Learn About Machine Learning, Univ. of
                CA, Davis Law Review, 2017, available at https:// lawreview .law .ucdavis .edu/ issues/ 51/ 2/ Symposium/ 51 -2 _Lehr _Ohm .pdf.
            180   Chris Anderson, The End of Theory: The Data Deluge Makes the Scientific Method Obsolete, Wired, 23 June 2008,
                https:// www .wired .com/ 2008/ 06/ pb -theory/
            181   Hildebrandt, Mireille, Preregistration of machine learning research design. Against P-hacking in: BEING PROFILED:
                COGITAS ERGO SUM, ed. Emre Bayamlıoğlu, Irina Baraliuc , Liisa Janssens, Mireille Hildebrandt Amsterdam University
                Press 2018 (forthcoming) (September 27, 2018). Available at SSRN: https:// papers .ssrn .com/ sol3/ papers .cfm ?abstract
                _id = 3256146
            182   Kroll JA. 2018 The fallacy of inscrutability. Phil. Trans. R. Soc. A 376, 20180084. (doi: 10 .1098/ rsta .2018 .0084)
            183   Sandra Wachter, Brent Mittelstadt and Luciano Floridi, ‘Why There Is No Right to Explanation in the General Data
                Protection Regulation’ [2017] International Data Privacy Law https:// papers .ssrn .com/ sol3/ papers .cfm ?abstract _id =
                2903469.
            184   Article 22.
            185   GDPR, Articles 13-15.
            186   Article 29 Data Protection Working Party, ‘Guidelines on Automated Individual Decision Making and Profiling for the
                Purposes of Regulation 2016/679’, see footnote 56, at p28-29.
            187   Future of Privacy Forum, Beyond Explainability: A Practical Guide to Managing Risk in Machine Learning Models (2018).
            188   See Wachter & Mittelstadt, at footnote 57.
            189   See Wachter & Mittelstadt, at footnote 57.
            190   E.g., Central Bank of Kenya, Guideline on Consumer Protection, Section 3.2.1(c)(iv), requires that banks not: take
                advantage of a consumer who is not able to understand the character or nature of a proposed transaction. [A bank]
                shall therefore inquire of the consumer’s specific needs and shall provide suitable products or services relevant to
                those needs. While Section 3.2.2(i) of the Guideline states “Depending on the nature of the transaction and based
                on information provided by a customer, [a bank] should assess and understand the needs of the customer before
                rendering a service.” In addition, Section 3.2.4(a)(ii) also requires banks, when giving advice to customers, ensure that
                “any product or service which the institution recommends to a consumer to buy is suitable for the consumer.”




                                                             Big data, machine learning, consumer protection and privacy  55