A combined presentation by
- Jef Ausloos (https://twitter.com/Jausl00s): background to data subject rights
- Pierre Dewitte (https://twitter.com/PiDewitte): empirically testing the right of access (https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3106632)
- Laurens Naudts (https://twitter.com/RoboNaudts): empirically testing the right to an explanation
All three are member of the CiTiP embedded in the KULeuven.
The event was hosted at the VUB (Vrije Universiteit Brussel) with the collaboration of VRG Brussels.
1. Data Subject’s Rights in
Practice
Facts, figures, design, practice
Pierre Dewitte, Jef Ausloos & Laurens Naudts
pierre.dewitte@kuleuven.be;
jef.ausloos@kuleuven.be;
laurens.naudts@kuleuven.be
@PiDewitte; @Jausl00s
@RoboNaudts
2. 2
• Background to Data Subject Rights Jef
• Empirically Testing the Right of Access Pierre
• Empirically Testing the Right to an Explanation Laurens
Overview
4. 4
Data Subject Rights – C’est quoi?
Ex Ante Ex Post
Protective Measures E.g. Data Quality
Principles
E.g. DPA Enforcement
Empowerment
Measures
E.g. Consent E.g. Data Subject
Rights
5. 5
• Integral to data protection discussions since 1960’s
• Data Protection Directive 1995
• Charter of Fundamental Rights 2000
• GDPR 2016
Brief History of Data Subject Rights
6. 6
• Art.12: Modalities
• Art.13-14: Transparency
• Art.15: Access
• Art.16: Rectification
• Art.17: Erasure
• Art.18: Restriction
• Art.20: Portability
• Art.21: Right to Object
• Art.22: Automated Decision-Making
Data Subject Rights
7. 7
• Right of access = pivotal
• Guaranteeing accountability/responsibility/compliance
• Enabling other DS rights
• Guaranteeing other legal rights
• Research tool
• Fleshed out in GDPR
Zooming in on the Right of Access
9. 9
• Right of access = pivotal
• Guaranteeing accountability/responsibility/compliance
• Enabling other DS rights
• Guaranteeing other legal rights
• Research tool
• Fleshed out in GDPR
• Modalities
Zooming in on the Right of Access
11. 11
• Nice in theory, but…
• General assumption that these rights are
• Inefficient
• Underused
• Ignored
• Not much empirical data substantiating this
Data Subject Rights in Practice
ssrn.com/abstract=3106632
13. • During academic year 2016-2017, legal-empirical study on the right
of access (Art. 15 GDPR)
o Registration and use of 66 online service providers
o Analysis of each service’s privacy policy
o Generic initial request for access
o In-depth follow-up request to obtain a satisfactory answer
• Participants: 1 CiTiP researcher, 3 students involved in the KU
Leuven advanced Master in IP and IT Law
• Findings compiled in surveys at every step of the empirical study
• Results and analysis published:
o In IDPL 8(1), February 2018
o As CiTiP Working Paper on SSRN
Empirical study on the right of access
Ausloos & Dewitte, 'Shattering One-Way Mirrors. The Right of Access in Practice', IDPL 8(1)
available at <https://academic.oup.com/idpl/article/8/1/4/4922871>
14. • Overview of the investigated sectors
Empirical study on the right of access
Ausloos & Dewitte, 'Shattering One-Way Mirrors. The Right of Access in Practice', IDPL 8(1)
available at <https://academic.oup.com/idpl/article/8/1/4/4922871>
15. • Some findings on the privacy policies (accessibility)
Empirical study on the right of access
Number of clicks it takes to get from the homepage to the privacy policy
Ausloos & Dewitte, 'Shattering One-Way Mirrors. The Right of Access in Practice', IDPL 8(1)
available at <https://academic.oup.com/idpl/article/8/1/4/4922871>
16. • Some findings on the privacy policies (completeness)
Empirical study on the right of access
Information provided by controllers in their privacy policy
Ausloos & Dewitte, 'Shattering One-Way Mirrors. The Right of Access in Practice', IDPL 8(1)
available at <https://academic.oup.com/idpl/article/8/1/4/4922871>
17. • Some findings on the filing of the initial request (mention of RoA)
Empirical study on the right of access
Specific mention of the right of access in the privacy policy
Ausloos & Dewitte, 'Shattering One-Way Mirrors. The Right of Access in Practice', IDPL 8(1)
available at <https://academic.oup.com/idpl/article/8/1/4/4922871>
18. • Some findings on the filing of the initial request (modalities)
Empirical study on the right of access
Specific ways mentioned in the privacy policy to exercise the right of access
Ausloos & Dewitte, 'Shattering One-Way Mirrors. The Right of Access in Practice', IDPL 8(1)
available at <https://academic.oup.com/idpl/article/8/1/4/4922871>
19. • Some findings on the follow-up request (answers)
Empirical study on the right of access
74%
26%
Number of controllers who responded to our initial request
Ausloos & Dewitte, 'Shattering One-Way Mirrors. The Right of Access in Practice', IDPL 8(1)
available at <https://academic.oup.com/idpl/article/8/1/4/4922871>
20. • Some findings on the follow-up request (delay)
Empirical study on the right of access
Days controllers took to respond to the initial request (other than confirmation of receipt)
Ausloos & Dewitte, 'Shattering One-Way Mirrors. The Right of Access in Practice', IDPL 8(1)
available at <https://academic.oup.com/idpl/article/8/1/4/4922871>
21. • Some findings on the follow-up request (information provided)
Empirical study on the right of access
Information provided following the access request
Ausloos & Dewitte, 'Shattering One-Way Mirrors. The Right of Access in Practice', IDPL 8(1)
available at <https://academic.oup.com/idpl/article/8/1/4/4922871>
22. • Some findings on the follow-up request (medium)
Empirical study on the right of access
Medium used to provide the answers
Ausloos & Dewitte, 'Shattering One-Way Mirrors. The Right of Access in Practice', IDPL 8(1)
available at <https://academic.oup.com/idpl/article/8/1/4/4922871>
23. • Some findings on the follow-up request (misunderstanding)
o Many controllers referred to their privacy policy
o Some of them mentioned the possibility to edit our profile via the
service itself (name, address, etc.)
o Others did not know the existence of the right of access at all and
questioned us to obtain more information
Empirical study on the right of access
Ausloos & Dewitte, 'Shattering One-Way Mirrors. The Right of Access in Practice', IDPL 8(1)
available at <https://academic.oup.com/idpl/article/8/1/4/4922871>
24. • Some findings on the follow-up request (irritation, bad faith)
o Some controllers reacted with suspicion, irritation, reluctance and
even bad faith to our access request
Empirical study on the right of access
(…) All required information is made
available in our privacy policy. If you
think it’s insufficient or believe *****
is not trustworthy, we’re happy to
delete your account and all related
data. If you would like to use the
site, then you automatically accept
our user agreement and privacy
policy. (…) We receive this type of
question once or twice a year, and it
always comes from people who
have no intention of being active on
*****. So if you have a real concern,
we’re happy to explain more info
Ausloos & Dewitte, 'Shattering One-Way Mirrors. The Right of Access in Practice', IDPL 8(1)
available at <https://academic.oup.com/idpl/article/8/1/4/4922871>
25. • Some findings on the follow-up request (irritation, bad faith)
o Some controllers reacted with suspicion, irritation, reluctance and
even bad faith to our access request
Empirical study on the right of access
This type of legislation is the reason we
incorporated ***** in the US and not in
*****. In reality, real users never ask for this
type of information. They just delete their
account. Our work is to ***** in the most
trustworthy way. We have now deleted
your account and have no data on file
anymore, apart from this email in a
separate customer support system. We
have hereby fulfilled your request. And for
all clarity: we treat real users and their
privacy with the utmost respect. But we
don’t spend expensive resources to
respond to frivolous requests
Ausloos & Dewitte, 'Shattering One-Way Mirrors. The Right of Access in Practice', IDPL 8(1)
available at <https://academic.oup.com/idpl/article/8/1/4/4922871>
26. Lack of
awareness
Lack of
organization
Lack of
motivation
Lack of
harmonization
Empirical study on the right of access
Ausloos & Dewitte, 'Shattering One-Way Mirrors. The Right of Access in Practice', IDPL 8(1)
available at <https://academic.oup.com/idpl/article/8/1/4/4922871>
27. • GDPR, paradigm shift?
o More information to be provided: Article 12(a) DPD v. 15(1) GDPR
o Well-defined practical modalities: Article 12(a) DPD v. 12 GDPR
o Mandatory appointment of a DPO if certain conditions are met
o Introduction of Data Protection by Design (see infra)
o Guidance from national supervisory authorities or EDPD
o Awaited codes of conducts and certification mechanisms
o Heavier fines as a driver
o Market-driven incentives
o Awareness-raising effect of the GDPR
o Civil society initiatives (Usable Privacy, Polisis, Data Rights Finder,…)
Empirical study on the right of access
A bright future for transparency, the right of access and
user empowerment in general?
Ausloos & Dewitte, 'Shattering One-Way Mirrors. The Right of Access in Practice', IDPL 8(1)
available at <https://academic.oup.com/idpl/article/8/1/4/4922871>
29. • Increasing use of algorithms impacting our daily lives
o Both online (e.g. tailored newsfeed on social media, targeted
advertising) and offline (e.g. smart cities)
• GDPR includes a so-called ‘right to explanation’ of decisions based
solely on automated processing. Spread across several provisions:
o Transparency requirements: Art. 13(2)f and 14(2)g
o Right of access: Art. 15(1)g
o Specific provision: Art. 22(3) and Rec. 71
• How this specific provision is interpreted and accommodated in
practice by controllers remains largely unknown
o Ex ante explanation of how the system works?
o Ex post explanation on how a specific decision was reached?
Empirical study on the so-called
‘right to explanation’
Algorithmic Transparency and Accountability in Practice (ATAP), KU Leuven CiTiP
and MintLab, <https://www.law.kuleuven.be/citip/en/research/projects/ongoing/atap>
30. • During academic year 2018-2019, legal-empirical study on the ‘right
to explanation’ of decisions taken by news recommender systems
o First-party content providers (e.g. newspaper website)
o News aggregators (e.g. Flipboard)
o Social media (e.g. Twitter)
• Participants: 5 CiTiP researchers, 3 MintLab researchers, 4 students
involved in the KU Leuven advanced Master in IP and IT Law
Empirical study on the so-called
‘right to explanation’
Desktop
research
Empirical
research
Design
research
Target
policy-
makers and
UI
Designers
Algorithmic Transparency and Accountability in Practice (ATAP), KU Leuven CiTiP
and MintLab, <https://www.law.kuleuven.be/citip/en/research/projects/ongoing/atap>
31. 31
• Complexity
• Technical Level
• Expert knowledge required in order to understand and translate
recommender systems,
• Dependent on target audience
• Data Level
• Explanation requires insight into the entire automated chain
• Legal Level
• Disparity amongst legal instruments available to the data subject
• Data Administration might lead to Indifference or Fatigue
• Intellectual Property versus Granularity
• Design Level
• Different ‘Recommender Purposes’ require Different Explanations
Challenges to Explanations and
Transparency
33. • To exercise data subject’s rights:
o https://www.mydatadoneright.eu/: helps individuals to exercise their
rights (access, erasure, rectification, portability)
o https://www.personaldata.io: helps with in-depth/complicated access
requests (e.g. Tinder ‘hotness factor’, Facebook Hive data, Uber data,
Deliveroo data etc.)
• To better understand privacy policies:
o https://www.datarightsfinder.org/: summarises privacy policies and
assists with the drafting of requests (focus on financial services)
o https://www.usableprivacy.org/: summarises human- and machine
annotated privacy policies
o https://pribot.org/polisis: AI-powered privacy policy analysis
Assistance along the way
Mention link to paper.
Mention other initiatives in the field of privacy policy analysis:
Jamila Venturini, Luiza Louzada, Marilia Maciel, Nicolo Zingales, Konstantinos Stylianou, Luca Belli, Terms of Service and Human Rights: an Analysis of Online Platform Contracts (Revan 2016) <http://internet-governance.fgv.br/sites/internet-governance.fgv.br/files/publicacoes/terms_of_services_06_12_2016.pdf> accessed 19 October 2017;
Brendan Van Alsenoy, Valerie Verdoodt, Rob Heyman, Jef Ausloos, Ellen Wauters, ‘From social media service to advertising network. A critical analysis of Facebook’s Revised Policies and Terms’, 25 February 2015 <https://www.law.kuleuven.be/citip/en/news/item/facebooks-revised-policies-and-terms-v1-2.pdf> access 19 October 2017
Habib H and others, ‘An Empirical Analysis of Website Data Deletion and Opt-Out Choices’ (2018)
Kumar P, ‘Privacy Policies and Their Lack of Clear Disclosure Regarding the Life Cycle of User Information’, 2016 AAAI Fall Symposium Series (2016)
In deliberation with these students, a selection of 66 commonly used (across the EU) information society service providers was made.
While a vast majority (80%) of investigated privacy policies were reached in only one or two clicks from the homepage (fig.2), the process was still rated “difficult” to “very difficult” in 31% of instances,
The most important reasons in those 31% were:
Poor design, e.g. by not following today’s widespread standard of placing a hyperlink to the privacy section at the bottom of every page;
The fact that information relating to privacy and data protection were also lumped together with the provider’s general terms and conditions;
The fact that information relating to the privacy policy were hidden behind a vaguely or wrongly-titled link such as “Legal terms” or “Cookies policy”.
List of information to be provided for by controllers is not a novelty of the GDPR:
Already in Articles 11-12 DPD
Now in Articles 13-14 GDPR (expanded list)
Two main questions were assessed: (i) is the right of access specifically mentioned? and (ii) where/how should such a request be sent?:
Regarding the first question, it is worth recalling that Articles 10(c) and 11(1)c of Directive 95/46 (Artt. 13(2)b and 14(2)c GDPR) oblige controllers to mention the existence of such a prerogative in their privacy policy.
Regarding the second question, it is worth recalling that, while failing to specify the practical modalities for exercising the right of access may not violate Directive 95/46, this is likely to change with the GDPR which obliges controllers to “facilitate the exercise of data subject rights under Articles 15 to 22”. It can therefore reasonably be assumed that providing a clear procedural scheme to data subjects willing to exercise their right of access will be part of controllers’ new set of duties under the GDPR. Art. 12(2) GDPR. The exact meaning of what will constitute a facilitative practice is not clear today. This will be further specified by national DPAs, national courts and the European Data Protection Board once the GDPR enters into force.
Virtually all providers are collecting non-registered users’ personal data as well (even if only through installing cookies or collecting IP addresses when visiting their website). Nevertheless, many only allow an access request to be filed through a contact point made exclusively available to registered users. In such situations finding alternative means of reaching the controller can often be considered unreasonable and disproportionate, not to mention using such alternative means may often prove ineffective.
After five months, when it was decided to bring the empirical study to an end, only 74% of the investigated online service providers had responded, whether with a satisfying answer or not. In other words, 26% of them remained completely silent despite multiple reminders. As a result, the amount of responses being assessed as part of the empirical study was already reduced by a quarter compared to the number of providers contacted,
The delay in responding to queries also appeared problematic in a significant number of cases. 56% of responses arrived more than 30 days after the initial request had been sent (fig.10). At the time of the empirical research, legal time limits depended on national implementing acts. This will, however, no longer be the case once the GDPR enters into force.
Most of the time, either:
Basic and therefore not exhaustive enough (contra Art. 15(1) GDPR);
Complex and therefore not easily legible (contra Art. 12(1) GDPR).
Confusion between access and erasure;
- Even proactive erasure while not requested;
Lack of awareness (unaware of the existence of DP law, misunderstanding about the basic notions such as ‘personal data’ or the territorial scope of application)
Lack of organization (no department or team in charge of DP issues, no procedure for handling data subject’s rights technical constraints due to the way controllers were handling their datasets)
Lack of motivation (see example supra)
Lack of harmonization (at the time, national implementations of DPD relevant for time limits, exception to data subject’s rights, modalities, etc.), Partially lifted under GDPR, at least when it comes to the modalities surrounding the exercise of data subject’s rights.
More information to be provided (e.g. retention period, existence of rights, right to lodge a compliant with a supervisory authority, information on transfers to third countries, etc.).
Well-defined practical modalities (e.g. free of charge, one month time limit, form of request, form of answer, intelligibility)
DPO: remedy the lack of awareness
DPbD: The empirical study has indeed demonstrated that a significant number of controllers struggled to even identify and locate the requested pieces of information. This could be avoided by developing/reconfiguring their systems in such a way to facilitate the retrieval of relevant data in a secure and individualised way. Indeed, their systems should be designed in a way that enables the exercise of data subject rights. Ideally, this would go as far as to actively facilitate exercising such rights, for example through automating the process and ensuring information is machine-readable and interoperable (cf. Art.20 on the right to data portability). Easier said than done, but cornerstone.
Guidance from national SA or EDPB in terms of templates, scenario-based approach (parallel critical infrastructure in air law).
Codes of conducts for addressing data subjects’ rights (Art. 40(2)f), certification mechanisms to make it more scalable
Yet, looking at how similar instruments have worked in other sectors (e.g. financial industry), some scepticism as to their added value seems warranted.
Mention link to the project.
Art. 22(1): automated decision-making = ‘a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her’.
Art. 13(2)f and 14(2) (privacy policy; ex ante basis):
Existence of automated decision-making;
At least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject;
In other cases, also possible but not mandatory.
Art. 15(1)h (right, ex post basis):
Existence of automated decision-making;
At least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject;
In other cases, also possible but not mandatory.
Art. 22(3): Only in case of automated decision-making based on contract or consent, obligation for the controller to implement suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision (+ Rec. 71: obtain an explanation).
Desktop research (legal scholarship; HCI scholarship; interdisciplinary problem formulation)
Empirical research (setting-up; conduct; interdisciplinary analysis of the results)
Design research (organisation of co-design workshops; creation of interface prototypes; experimentation assessing the impact of the prototypes on users’ comprehension)
Recommendations (development of a teaching module; drafting of evidence-based recommendations for regulators, policy-makers and designers; valorisation)
Traditional legal desktop research, mapping and summarising the relevant literature on the right to explanation in EU data protection law.
OUTPUT: chapter to be incorporated into Deliverable 1
Literature review of research on the design and evaluation of transparent algorithmic systems, documenting best practices and guidelines as input for WP3
OUTPUT: chapter to be incorporated into Deliverable 1
Combine insights gained in Tasks 1.1. and 1.2. so as to come to a more holistic problem statement.
OUTPUT: Deliverable 1 - Mapping key challenges to the right to an explanation, an interdisciplinary approach.
Work Package 2. Empirical Research (M3-11). Lead: CiTiP
This task consists of all necessary preparations to enable data gathering in T2.2. Drafting list of questions to be investigated, building on T1.3.; identify relevant actors to be investigated; develop online surveys for easy and centralised data gathering. The actual implementation of the scripts and lists of questions will be done in collaboration with PersonalData.io.
OUTPUT: surveys, research script.
Conducting the actual empirical research, consisting of contacting online service providers and assess their compliance strategies for accommodating the right to explanation.
OUTPUT: excel sheets, comprehensively mapping all gathered data.
Interdisciplinary analysis of the results, to identify key issues.
OUTPUT: joint report, co-authored between CiTiP/MintLab).
Work Package 3. Design Research (M7-16). Lead: Mintlab
Using input from WP1 and WP2, as well as from a sensitising activity (diary study), two co-design workshops will be organised with 20 end-users.
OUTPUT: user experience of algorithmic systems; list of elements that are to be made transparent).
Based on the outcome of T3.1, several interface prototypes will be created that offer different variations of algorithmic transparency.
OUTPUT: interactive medium-fidelity prototypes.
Using prototypes created in T3.2, several between-subjects experiments will be set-up to assess the impact of the various interface designs on the users’ comprehension, acceptance and trust of the prototypes.
OUTPUT: detailed analysis of impact of interface elements on user ratings.
Work Package 4:
Mention link to the project.
Art. 22(1): automated decision-making = ‘a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her’.
Art. 13(2)f and 14(2) (privacy policy; ex ante basis):
Existence of automated decision-making;
At least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject;
In other cases, also possible but not mandatory.
Art. 15(1)h (right, ex post basis):
Existence of automated decision-making;
At least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject;
In other cases, also possible but not mandatory.
Art. 22(3): Only in case of automated decision-making based on contract or consent, obligation for the controller to implement suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision (+ Rec. 71: obtain an explanation).