Presentation by Christian D'Cunha at the 2019 CMPF Summer School for Journalists and Media Practitioners - Covering Political Campaigns in the Age of Data, Algorithms & Artificial Intelligence
3. Colours
Comprehensive
Public only
Private only
Mainly private
Lower level regulation
Data Protection laws now in 132 countries
Based on
presentation by
G.Greenleaf:
Overview: Global
developments in
data privacy laws,
September 2018
4. Regulatory oversight
•Direct applicable
•One Stop Shop with lead data
protection authority (DPA) for
cross border cases
•Local DPAs for local matters
•Administrative fines up to 2%
or 4% of annual worldwide
turnover
•Individual actions, claims for
damages
•Collective actions
•Criminal sanctions (in national
laws)
Scope of application
•Extraterritorial application to
non-EU based companies
•Broader definition of personal
data and sensitive data, new
data categories
Accountability
•Information obligations
•Data protection by design
•Data security and data breach
notification
•Data processor agreements
•Data Protection Officer
•International data transfers
•Code of Conduct/Certification
•Documentation
•Scalability/ risk-based
Strengthened rights of
individuals
•Right to access
•Right to deletion
•Right to data portability
•Right not to be subject to
automated processing,
including profiling
•Right to object
EU GDPR – Overview
4
5. What is different?
• Territorial scope
• Consent (controller has burden of proof, can be withdrawn at any time);
• Must be freely given, specific, informed and unambiguous
• Requires a statement or clear affirmative action
• Right to data portability: transfer data to another controller in structured and commonly used and machine
readable format
• Right not to be subject to automated decision making which produces legal effects, including profiling:
exemptions
• ‘profiling’ means any form of automated processing of personal data consisting of the use of personal data to
evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning
that natural person's performance at work, economic situation, health, personal preferences, interests, reliability,
behaviour, location or movements
• Data breach notification obligation
• to competent data protection authority no later than 72 hours (unless breach is unlikely to result in risk for
rights and freedoms of individuals)
• To affected individuals (if high risks to their rights and freedoms) without undue delay, exemption if data
encrypted
• data controllers must maintain an internal data breach register
5
6. GDPR central casting
1. Controllers
Scalable obligations
Special regimes and exceptions eg scientific research, religious organisations,
purposes of journalistic or academic/artistic/ literary expression
2. Data subjects
3. Independent supervisory authorities
….
4. Processors
5. Third parties
6
7. Beyond individual rights
Data protection is needed not only ‘for personal development of those
individuals’ but also to avoid ‘detriment to the public good… since self-
determination is an elementary prerequisite the functioning of a free
democratic society predicated on the freedom of action and
participation of its members’
German Federal Constitutional Court in 1983 census ruling
7
11. Adtech - sensitive data
Digital records of behaviour can be used to automatically and accurately predict a range of highly sensitive
personal attributes
David Stilwell, Cambridge University 11
16. The misinformation incentive
• Two most shared news stories on Facebook in Q1 2019 were false
(Lorenz)
• Most misinformation spread by humans not bots (Vosoughi et al
2018)
• Around 80% of all You Tube views are recommendations (YouTube)
• People’s cultural and political predispositions are the source not the
outcome of the information they consume (Kahan, 2017)
• Fake news is lucrative and legitimate ad support news media rely on
the same infrastructure (Braun and Eklund, 2019)
16
17. Rising market and informational power
Economic* Individual rights Societal/ environmental
Concentration Diminished choice and control Easy target for malicious actors
Fewer start ups / ‘kill zones’/ Lower
investment
No oxygen for alternative business
models and privacy by design
CO2 emissions
Increasing prices Take it or leave terms of service Local journalism and publishing
Diminishing quality Curated internet experience Damage to public discourse and
health of democracy
Monopsony Dark patterns and exploitation Addiction
Worsening inequality Privacy only for the privileged Information and bargaining
asymmetries
17
* Based on econfip Policy Brief ‘Confronting Market Power’, Baker and Scott Morton, May 2019
19. Use of data for political purposes
Where in the course of electoral activities, the operation of the
democratic system in a Member State requires that political parties
compile personal data on people's political opinions, the processing of
such data may be permitted for reasons of public interest, provided that
appropriate safeguards are established. Recital (56) GDPR
Spanish constitutional court May 2019 – struck down profiling for
electoral purposes
Romania – national parties can process any data without consent
19
20. EU elections and data protection
• Regulation 493/2019 - up 5% fines for European parties in violation
of data protection rules
• European Elections Network since September 2018
• EDPB Statement January 2019
20
21. EDPB Statement 2/2019 on the use of
personal data in the course of political
campaigns 13 March 2019
• Engaging with voters is inherent to the democratic process.
• Politics includes monitoring profiling and targeting – including use of sensitive
data
• Cambridge Analytica illustrates link between data protection, freedom of
expression and freedom to hold opinions, possibility to think freely without
manipulation.
• Personal data revealing political opinions requires explicit, specific, fully
informed, and freely given consent of the individuals.
• Data have been made public are still personal
• Solely automated decision-making, including profiling, with legal or significant
effects (like voting decision) - is restricted.
• People should know who and why they are targeted
21
22. Journalism and data protection
• CJEU C-345/17 [14 February 2019] Sergejs Buivids v. Datu valsts inspekcija
• notion of ‘journalism’ should be interpreted broadly
• exemptions and derogations in Article 9 of Directive 95/46 not only applied to media
companies, but to everyone carrying out journalistic activities.
• So even if not a journalist under national law he may be able to rely on the
derogation for journalistic purposes.
• decisive criterion is whether the sole purpose of the recording and the publishing of
the video was to disclose information, opinion or comments to the public. Eg in this
case – to draw attention to the alleged police malpractice that took place while he
was making his statement.
• Member States must legislate to reconcile data protection and freedom of
expression including processing [not solely] for journalistic purposes
• But Member States are not aligned
22
25. • Humans vs machines
• Defining ‘political’
• Defining ‘journalism’
• Internet as ‘privately run digital intelligence service’
• Rights for those who can afford it
• Privatisation of the public – eg Sidewalk Labs
25
26. 26
... debate has revolved around the misleading, false or
scurrilous information (‘content’) served to people with the
intention of influencing political discourse and elections...
labelled ‘fake news’ or ‘online disinformation’. Solutions have
focused on transparency measures.... while neglecting the
accountability of players in the ecosystem who profit from
harmful behaviour.
... The diminution of intimate space available to people, as a
result of unavoidable surveillance by companies and
governments, has a chilling effect on people’s ability and
willingness to express themselves and form relationships
freely, including in the civic sphere so essential to the health
of democracy. This Opinion is therefore concerned with the
way personal information is used in order to micro-target
individuals and groups with specific content.
28. Future prospects
• Social capital (Puttnam 2000)
• Bonding
• Bridging
• Engagement and empowerment
• Fragmentation and disruption
• Accountability where there is power
• Fair and legal data processing is a minimum
28