SlideShare ist ein Scribd-Unternehmen logo

20190221 Data subject rights in practice

Als PPTX, PDF herunterladen
Brussels Legal Hackers
Brussels Legal Hackers

A combined presentation by - Jef Ausloos (https://twitter.com/Jausl00s): background to data subject rights - Pierre Dewitte (https://twitter.com/PiDewitte): empirically testing the right of access (https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3106632) - Laurens Naudts (https://twitter.com/RoboNaudts): empirically testing the right to an explanation All three are member of the CiTiP embedded in the KULeuven. The event was hosted at the VUB (Vrije Universiteit Brussel) with the collaboration of VRG Brussels.

Bildung
1 von 34
Data Subject’s Rights in Practice Facts, figures, design, practice Pierre Dewitte, Jef Ausloos & Laurens Naudts pierre.dewitte@kuleuven.be; jef.ausloos@kuleuven.be; laurens.naudts@kuleuven.be @PiDewitte; @Jausl00s @RoboNaudts
2 • Background to Data Subject Rights Jef • Empirically Testing the Right of Access Pierre • Empirically Testing the Right to an Explanation Laurens Overview
Background to Data Subject Rights Jef Ausloos Empower all the people !
4 Data Subject Rights – C’est quoi? Ex Ante Ex Post Protective Measures E.g. Data Quality Principles E.g. DPA Enforcement Empowerment Measures E.g. Consent E.g. Data Subject Rights
5 • Integral to data protection discussions since 1960’s • Data Protection Directive 1995 • Charter of Fundamental Rights 2000 • GDPR 2016 Brief History of Data Subject Rights
6 • Art.12: Modalities • Art.13-14: Transparency • Art.15: Access • Art.16: Rectification • Art.17: Erasure • Art.18: Restriction • Art.20: Portability • Art.21: Right to Object • Art.22: Automated Decision-Making Data Subject Rights
7 • Right of access = pivotal • Guaranteeing accountability/responsibility/compliance • Enabling other DS rights • Guaranteeing other legal rights • Research tool • Fleshed out in GDPR Zooming in on the Right of Access
8
9 • Right of access = pivotal • Guaranteeing accountability/responsibility/compliance • Enabling other DS rights • Guaranteeing other legal rights • Research tool • Fleshed out in GDPR • Modalities Zooming in on the Right of Access
10
11 • Nice in theory, but… • General assumption that these rights are • Inefficient • Underused • Ignored • Not much empirical data substantiating this Data Subject Rights in Practice ssrn.com/abstract=3106632
Empirically Testing the Right of Access Pierre Dewitte
• During academic year 2016-2017, legal-empirical study on the right of access (Art. 15 GDPR) o Registration and use of 66 online service providers o Analysis of each service’s privacy policy o Generic initial request for access o In-depth follow-up request to obtain a satisfactory answer • Participants: 1 CiTiP researcher, 3 students involved in the KU Leuven advanced Master in IP and IT Law • Findings compiled in surveys at every step of the empirical study • Results and analysis published: o In IDPL 8(1), February 2018 o As CiTiP Working Paper on SSRN Empirical study on the right of access Ausloos & Dewitte, 'Shattering One-Way Mirrors. The Right of Access in Practice', IDPL 8(1) available at <https://academic.oup.com/idpl/article/8/1/4/4922871>
• Overview of the investigated sectors Empirical study on the right of access Ausloos & Dewitte, 'Shattering One-Way Mirrors. The Right of Access in Practice', IDPL 8(1) available at <https://academic.oup.com/idpl/article/8/1/4/4922871>
• Some findings on the privacy policies (accessibility) Empirical study on the right of access Number of clicks it takes to get from the homepage to the privacy policy Ausloos & Dewitte, 'Shattering One-Way Mirrors. The Right of Access in Practice', IDPL 8(1) available at <https://academic.oup.com/idpl/article/8/1/4/4922871>
• Some findings on the privacy policies (completeness) Empirical study on the right of access Information provided by controllers in their privacy policy Ausloos & Dewitte, 'Shattering One-Way Mirrors. The Right of Access in Practice', IDPL 8(1) available at <https://academic.oup.com/idpl/article/8/1/4/4922871>
• Some findings on the filing of the initial request (mention of RoA) Empirical study on the right of access Specific mention of the right of access in the privacy policy Ausloos & Dewitte, 'Shattering One-Way Mirrors. The Right of Access in Practice', IDPL 8(1) available at <https://academic.oup.com/idpl/article/8/1/4/4922871>
• Some findings on the filing of the initial request (modalities) Empirical study on the right of access Specific ways mentioned in the privacy policy to exercise the right of access Ausloos & Dewitte, 'Shattering One-Way Mirrors. The Right of Access in Practice', IDPL 8(1) available at <https://academic.oup.com/idpl/article/8/1/4/4922871>
• Some findings on the follow-up request (answers) Empirical study on the right of access 74% 26% Number of controllers who responded to our initial request Ausloos & Dewitte, 'Shattering One-Way Mirrors. The Right of Access in Practice', IDPL 8(1) available at <https://academic.oup.com/idpl/article/8/1/4/4922871>
• Some findings on the follow-up request (delay) Empirical study on the right of access Days controllers took to respond to the initial request (other than confirmation of receipt) Ausloos & Dewitte, 'Shattering One-Way Mirrors. The Right of Access in Practice', IDPL 8(1) available at <https://academic.oup.com/idpl/article/8/1/4/4922871>
• Some findings on the follow-up request (information provided) Empirical study on the right of access Information provided following the access request Ausloos & Dewitte, 'Shattering One-Way Mirrors. The Right of Access in Practice', IDPL 8(1) available at <https://academic.oup.com/idpl/article/8/1/4/4922871>
• Some findings on the follow-up request (medium) Empirical study on the right of access Medium used to provide the answers Ausloos & Dewitte, 'Shattering One-Way Mirrors. The Right of Access in Practice', IDPL 8(1) available at <https://academic.oup.com/idpl/article/8/1/4/4922871>
• Some findings on the follow-up request (misunderstanding) o Many controllers referred to their privacy policy o Some of them mentioned the possibility to edit our profile via the service itself (name, address, etc.) o Others did not know the existence of the right of access at all and questioned us to obtain more information Empirical study on the right of access Ausloos & Dewitte, 'Shattering One-Way Mirrors. The Right of Access in Practice', IDPL 8(1) available at <https://academic.oup.com/idpl/article/8/1/4/4922871>
• Some findings on the follow-up request (irritation, bad faith) o Some controllers reacted with suspicion, irritation, reluctance and even bad faith to our access request Empirical study on the right of access (…) All required information is made available in our privacy policy. If you think it’s insufficient or believe ***** is not trustworthy, we’re happy to delete your account and all related data. If you would like to use the site, then you automatically accept our user agreement and privacy policy. (…) We receive this type of question once or twice a year, and it always comes from people who have no intention of being active on *****. So if you have a real concern, we’re happy to explain more info Ausloos & Dewitte, 'Shattering One-Way Mirrors. The Right of Access in Practice', IDPL 8(1) available at <https://academic.oup.com/idpl/article/8/1/4/4922871>
• Some findings on the follow-up request (irritation, bad faith) o Some controllers reacted with suspicion, irritation, reluctance and even bad faith to our access request Empirical study on the right of access This type of legislation is the reason we incorporated ***** in the US and not in *****. In reality, real users never ask for this type of information. They just delete their account. Our work is to ***** in the most trustworthy way. We have now deleted your account and have no data on file anymore, apart from this email in a separate customer support system. We have hereby fulfilled your request. And for all clarity: we treat real users and their privacy with the utmost respect. But we don’t spend expensive resources to respond to frivolous requests Ausloos & Dewitte, 'Shattering One-Way Mirrors. The Right of Access in Practice', IDPL 8(1) available at <https://academic.oup.com/idpl/article/8/1/4/4922871>
Lack of awareness Lack of organization Lack of motivation Lack of harmonization Empirical study on the right of access Ausloos & Dewitte, 'Shattering One-Way Mirrors. The Right of Access in Practice', IDPL 8(1) available at <https://academic.oup.com/idpl/article/8/1/4/4922871>
• GDPR, paradigm shift? o More information to be provided: Article 12(a) DPD v. 15(1) GDPR o Well-defined practical modalities: Article 12(a) DPD v. 12 GDPR o Mandatory appointment of a DPO if certain conditions are met o Introduction of Data Protection by Design (see infra) o Guidance from national supervisory authorities or EDPD o Awaited codes of conducts and certification mechanisms o Heavier fines as a driver o Market-driven incentives o Awareness-raising effect of the GDPR o Civil society initiatives (Usable Privacy, Polisis, Data Rights Finder,…) Empirical study on the right of access A bright future for transparency, the right of access and user empowerment in general? Ausloos & Dewitte, 'Shattering One-Way Mirrors. The Right of Access in Practice', IDPL 8(1) available at <https://academic.oup.com/idpl/article/8/1/4/4922871>
Empirically Testing the Right to an Explanation Laurens Naudts
• Increasing use of algorithms impacting our daily lives o Both online (e.g. tailored newsfeed on social media, targeted advertising) and offline (e.g. smart cities) • GDPR includes a so-called ‘right to explanation’ of decisions based solely on automated processing. Spread across several provisions: o Transparency requirements: Art. 13(2)f and 14(2)g o Right of access: Art. 15(1)g o Specific provision: Art. 22(3) and Rec. 71 • How this specific provision is interpreted and accommodated in practice by controllers remains largely unknown o Ex ante explanation of how the system works? o Ex post explanation on how a specific decision was reached? Empirical study on the so-called ‘right to explanation’ Algorithmic Transparency and Accountability in Practice (ATAP), KU Leuven CiTiP and MintLab, <https://www.law.kuleuven.be/citip/en/research/projects/ongoing/atap>
• During academic year 2018-2019, legal-empirical study on the ‘right to explanation’ of decisions taken by news recommender systems o First-party content providers (e.g. newspaper website) o News aggregators (e.g. Flipboard) o Social media (e.g. Twitter) • Participants: 5 CiTiP researchers, 3 MintLab researchers, 4 students involved in the KU Leuven advanced Master in IP and IT Law Empirical study on the so-called ‘right to explanation’ Desktop research Empirical research Design research Target policy- makers and UI Designers Algorithmic Transparency and Accountability in Practice (ATAP), KU Leuven CiTiP and MintLab, <https://www.law.kuleuven.be/citip/en/research/projects/ongoing/atap>
31 • Complexity • Technical Level • Expert knowledge required in order to understand and translate recommender systems, • Dependent on target audience • Data Level • Explanation requires insight into the entire automated chain • Legal Level • Disparity amongst legal instruments available to the data subject • Data Administration might lead to Indifference or Fatigue • Intellectual Property versus Granularity • Design Level • Different ‘Recommender Purposes’ require Different Explanations Challenges to Explanations and Transparency
Fight for your rights! (You’re not alone)
• To exercise data subject’s rights: o https://www.mydatadoneright.eu/: helps individuals to exercise their rights (access, erasure, rectification, portability) o https://www.personaldata.io: helps with in-depth/complicated access requests (e.g. Tinder ‘hotness factor’, Facebook Hive data, Uber data, Deliveroo data etc.) • To better understand privacy policies: o https://www.datarightsfinder.org/: summarises privacy policies and assists with the drafting of requests (focus on financial services) o https://www.usableprivacy.org/: summarises human- and machine annotated privacy policies o https://pribot.org/polisis: AI-powered privacy policy analysis Assistance along the way
Thanks for your attention! KU Leuven Centre for IT & IP Law (CiTiP) – imec www.law.kuleuven.be/citip

Empfohlen

Post-Alice Guideline 2016
Post-Alice Guideline 2016Post-Alice Guideline 2016
Post-Alice Guideline 2016Lewis Lee
 
The Rising Tide Raises All Boats: The Advancement of Science of Cybersecurity
The Rising Tide Raises All Boats: The Advancement of Science of CybersecurityThe Rising Tide Raises All Boats: The Advancement of Science of Cybersecurity
The Rising Tide Raises All Boats: The Advancement of Science of Cybersecuritylaurieannwilliams
 
The Role of Intellectual Property Rights for the Growth of ICT Industry in Be...
The Role of Intellectual Property Rights for the Growth of ICT Industry in Be...The Role of Intellectual Property Rights for the Growth of ICT Industry in Be...
The Role of Intellectual Property Rights for the Growth of ICT Industry in Be...Patterson Thuente IP
 
Presumptive Design or Cutting the Looking Glass Cake
Presumptive Design or Cutting the Looking Glass CakePresumptive Design or Cutting the Looking Glass Cake
Presumptive Design or Cutting the Looking Glass CakeLeo Frishberg
 
2019 Triangle Machine Learning Day - Biomedical Image Understanding and EHRs ...
2019 Triangle Machine Learning Day - Biomedical Image Understanding and EHRs ...2019 Triangle Machine Learning Day - Biomedical Image Understanding and EHRs ...
2019 Triangle Machine Learning Day - Biomedical Image Understanding and EHRs ...The Statistical and Applied Mathematical Sciences Institute
 
Starting From Scratch - the ELN Reality
Starting From Scratch - the ELN RealityStarting From Scratch - the ELN Reality
Starting From Scratch - the ELN RealityJohn Trigg
 
Accessibility 101 for Financial Institutions
Accessibility 101 for Financial Institutions Accessibility 101 for Financial Institutions
Accessibility 101 for Financial Institutions 3Play Media
 
Go Ask Alice: The End of Computer-Implemented U.S. Patents?
Go Ask Alice: The End of Computer-Implemented U.S. Patents?Go Ask Alice: The End of Computer-Implemented U.S. Patents?
Go Ask Alice: The End of Computer-Implemented U.S. Patents?WileyReinLLP
 

Empfohlen

Post-Alice Guideline 2016
Post-Alice Guideline 2016Post-Alice Guideline 2016
Post-Alice Guideline 2016Lewis Lee
 
The Rising Tide Raises All Boats: The Advancement of Science of Cybersecurity
The Rising Tide Raises All Boats: The Advancement of Science of CybersecurityThe Rising Tide Raises All Boats: The Advancement of Science of Cybersecurity
The Rising Tide Raises All Boats: The Advancement of Science of Cybersecuritylaurieannwilliams
 
The Role of Intellectual Property Rights for the Growth of ICT Industry in Be...
The Role of Intellectual Property Rights for the Growth of ICT Industry in Be...The Role of Intellectual Property Rights for the Growth of ICT Industry in Be...
The Role of Intellectual Property Rights for the Growth of ICT Industry in Be...Patterson Thuente IP
 
Presumptive Design or Cutting the Looking Glass Cake
Presumptive Design or Cutting the Looking Glass CakePresumptive Design or Cutting the Looking Glass Cake
Presumptive Design or Cutting the Looking Glass CakeLeo Frishberg
 
2019 Triangle Machine Learning Day - Biomedical Image Understanding and EHRs ...
2019 Triangle Machine Learning Day - Biomedical Image Understanding and EHRs ...2019 Triangle Machine Learning Day - Biomedical Image Understanding and EHRs ...
2019 Triangle Machine Learning Day - Biomedical Image Understanding and EHRs ...The Statistical and Applied Mathematical Sciences Institute
 
Starting From Scratch - the ELN Reality
Starting From Scratch - the ELN RealityStarting From Scratch - the ELN Reality
Starting From Scratch - the ELN RealityJohn Trigg
 
Accessibility 101 for Financial Institutions
Accessibility 101 for Financial Institutions Accessibility 101 for Financial Institutions
Accessibility 101 for Financial Institutions 3Play Media
 
Go Ask Alice: The End of Computer-Implemented U.S. Patents?
Go Ask Alice: The End of Computer-Implemented U.S. Patents?Go Ask Alice: The End of Computer-Implemented U.S. Patents?
Go Ask Alice: The End of Computer-Implemented U.S. Patents?WileyReinLLP
 
A Case for Expectation Informed Design - Full
A Case for Expectation Informed Design - FullA Case for Expectation Informed Design - Full
A Case for Expectation Informed Design - Fullgloriakt
 
When Past Performance May Be Indicative of Future Results - The Legal Implica...
When Past Performance May Be Indicative of Future Results - The Legal Implica...When Past Performance May Be Indicative of Future Results - The Legal Implica...
When Past Performance May Be Indicative of Future Results - The Legal Implica...Jason Haislmaier
 
PLA Legal aspects of Big Data analytics final
PLA Legal aspects of Big Data analytics finalPLA Legal aspects of Big Data analytics final
PLA Legal aspects of Big Data analytics finalSofie van der Meulen
 
Paperless Lab Academy 'legal aspects of big data analytics'
Paperless Lab Academy 'legal aspects of big data analytics' Paperless Lab Academy 'legal aspects of big data analytics'
Paperless Lab Academy 'legal aspects of big data analytics' Axon Lawyers
 
A Case for Expectation Informed Design
A Case for Expectation Informed DesignA Case for Expectation Informed Design
A Case for Expectation Informed Designgloriakt
 
Use of data in safe havens: ethics and reproducibility issues
Use of data in safe havens: ethics and reproducibility issuesUse of data in safe havens: ethics and reproducibility issues
Use of data in safe havens: ethics and reproducibility issuesLouise Corti
 
Forecast 2014: eDiscovery and Forensics
Forecast 2014: eDiscovery and Forensics Forecast 2014: eDiscovery and Forensics
Forecast 2014: eDiscovery and Forensics Open Data Center Alliance
 
Dataprotectionactnew13 12-11-111213033116-phpapp02
Dataprotectionactnew13 12-11-111213033116-phpapp02Dataprotectionactnew13 12-11-111213033116-phpapp02
Dataprotectionactnew13 12-11-111213033116-phpapp02tinkusing
 
Making ‘Big Data’ Your Ally – Using data analytics to improve compliance, due...
Making ‘Big Data’ Your Ally – Using data analytics to improve compliance, due...Making ‘Big Data’ Your Ally – Using data analytics to improve compliance, due...
Making ‘Big Data’ Your Ally – Using data analytics to improve compliance, due...emermell
 
Librarian RDM Training: Ethics and copyright for research data
Librarian RDM Training: Ethics and copyright for research dataLibrarian RDM Training: Ethics and copyright for research data
Librarian RDM Training: Ethics and copyright for research dataRobin Rice
 
Clare Sanderon, IG Solutions
Clare Sanderon, IG SolutionsClare Sanderon, IG Solutions
Clare Sanderon, IG SolutionsInvestnet
 
Privacy & Data Ethics
Privacy & Data EthicsPrivacy & Data Ethics
Privacy & Data EthicsErik Kokkonen
 
Data Protection & Risk Management
Data Protection & Risk Management Data Protection & Risk Management
Data Protection & Risk Management Endcode_org
 
Data Governance in two different data archives: When is a federal data reposi...
Data Governance in two different data archives: When is a federal data reposi...Data Governance in two different data archives: When is a federal data reposi...
Data Governance in two different data archives: When is a federal data reposi...Carolyn Ten Holter
 
Scaling up learning analytics solutions: Is privacy a show-stopper?
Scaling up learning analytics solutions: Is privacy a show-stopper?Scaling up learning analytics solutions: Is privacy a show-stopper?
Scaling up learning analytics solutions: Is privacy a show-stopper?Tore Hoel
 
Privacy issues in data analytics
Privacy issues in data analyticsPrivacy issues in data analytics
Privacy issues in data analyticsshekharkanodia
 
An itinerary for FAIR and privacy respecting data-driven innovation and research
An itinerary for FAIR and privacy respecting data-driven innovation and researchAn itinerary for FAIR and privacy respecting data-driven innovation and research
An itinerary for FAIR and privacy respecting data-driven innovation and researchMarlon Domingus
 
Governance And Data Protection In The Health Sector - Billy Hawkes
Governance And Data Protection In The Health Sector - Billy HawkesGovernance And Data Protection In The Health Sector - Billy Hawkes
Governance And Data Protection In The Health Sector - Billy Hawkeshealthcareisi
 
Legal and ethical considerations for sharing research data
Legal and ethical considerations for sharing research dataLegal and ethical considerations for sharing research data
Legal and ethical considerations for sharing research dataOpenAIRE
 
The death of data protection sans obama
The death of data protection sans obamaThe death of data protection sans obama
The death of data protection sans obamaLilian Edwards
 
20190528 - Guidelines for Trustworthy AI
20190528 - Guidelines for Trustworthy AI20190528 - Guidelines for Trustworthy AI
20190528 - Guidelines for Trustworthy AIBrussels Legal Hackers
 
20190423 PRiSE model to tackle data protection impact assessments and data pr...
20190423 PRiSE model to tackle data protection impact assessments and data pr...20190423 PRiSE model to tackle data protection impact assessments and data pr...
20190423 PRiSE model to tackle data protection impact assessments and data pr...Brussels Legal Hackers
 

Weitere ähnliche Inhalte

Ähnlich wie 20190221 Data subject rights in practice

A Case for Expectation Informed Design - Full
A Case for Expectation Informed Design - FullA Case for Expectation Informed Design - Full
A Case for Expectation Informed Design - Fullgloriakt
 
When Past Performance May Be Indicative of Future Results - The Legal Implica...
When Past Performance May Be Indicative of Future Results - The Legal Implica...When Past Performance May Be Indicative of Future Results - The Legal Implica...
When Past Performance May Be Indicative of Future Results - The Legal Implica...Jason Haislmaier
 
PLA Legal aspects of Big Data analytics final
PLA Legal aspects of Big Data analytics finalPLA Legal aspects of Big Data analytics final
PLA Legal aspects of Big Data analytics finalSofie van der Meulen
 
Paperless Lab Academy 'legal aspects of big data analytics'
Paperless Lab Academy 'legal aspects of big data analytics' Paperless Lab Academy 'legal aspects of big data analytics'
Paperless Lab Academy 'legal aspects of big data analytics' Axon Lawyers
 
A Case for Expectation Informed Design
A Case for Expectation Informed DesignA Case for Expectation Informed Design
A Case for Expectation Informed Designgloriakt
 
Use of data in safe havens: ethics and reproducibility issues
Use of data in safe havens: ethics and reproducibility issuesUse of data in safe havens: ethics and reproducibility issues
Use of data in safe havens: ethics and reproducibility issuesLouise Corti
 
Dataprotectionactnew13 12-11-111213033116-phpapp02
Dataprotectionactnew13 12-11-111213033116-phpapp02Dataprotectionactnew13 12-11-111213033116-phpapp02
Dataprotectionactnew13 12-11-111213033116-phpapp02tinkusing
 
Making ‘Big Data’ Your Ally – Using data analytics to improve compliance, due...
Making ‘Big Data’ Your Ally – Using data analytics to improve compliance, due...Making ‘Big Data’ Your Ally – Using data analytics to improve compliance, due...
Making ‘Big Data’ Your Ally – Using data analytics to improve compliance, due...emermell
 
Librarian RDM Training: Ethics and copyright for research data
Librarian RDM Training: Ethics and copyright for research dataLibrarian RDM Training: Ethics and copyright for research data
Librarian RDM Training: Ethics and copyright for research dataRobin Rice
 
Clare Sanderon, IG Solutions
Clare Sanderon, IG SolutionsClare Sanderon, IG Solutions
Clare Sanderon, IG SolutionsInvestnet
 
Privacy & Data Ethics
Privacy & Data EthicsPrivacy & Data Ethics
Privacy & Data EthicsErik Kokkonen
 
Data Protection & Risk Management
Data Protection & Risk Management Data Protection & Risk Management
Data Protection & Risk Management Endcode_org
 
Data Governance in two different data archives: When is a federal data reposi...
Data Governance in two different data archives: When is a federal data reposi...Data Governance in two different data archives: When is a federal data reposi...
Data Governance in two different data archives: When is a federal data reposi...Carolyn Ten Holter
 
Scaling up learning analytics solutions: Is privacy a show-stopper?
Scaling up learning analytics solutions: Is privacy a show-stopper?Scaling up learning analytics solutions: Is privacy a show-stopper?
Scaling up learning analytics solutions: Is privacy a show-stopper?Tore Hoel
 
Privacy issues in data analytics
Privacy issues in data analyticsPrivacy issues in data analytics
Privacy issues in data analyticsshekharkanodia
 
An itinerary for FAIR and privacy respecting data-driven innovation and research
An itinerary for FAIR and privacy respecting data-driven innovation and researchAn itinerary for FAIR and privacy respecting data-driven innovation and research
An itinerary for FAIR and privacy respecting data-driven innovation and researchMarlon Domingus
 
Governance And Data Protection In The Health Sector - Billy Hawkes
Governance And Data Protection In The Health Sector - Billy HawkesGovernance And Data Protection In The Health Sector - Billy Hawkes
Governance And Data Protection In The Health Sector - Billy Hawkeshealthcareisi
 
Legal and ethical considerations for sharing research data
Legal and ethical considerations for sharing research dataLegal and ethical considerations for sharing research data
Legal and ethical considerations for sharing research dataOpenAIRE
 
The death of data protection sans obama
The death of data protection sans obamaThe death of data protection sans obama
The death of data protection sans obamaLilian Edwards
 

Ähnlich wie 20190221 Data subject rights in practice (20)

A Case for Expectation Informed Design - Full
A Case for Expectation Informed Design - FullA Case for Expectation Informed Design - Full
A Case for Expectation Informed Design - Full
 
When Past Performance May Be Indicative of Future Results - The Legal Implica...
When Past Performance May Be Indicative of Future Results - The Legal Implica...When Past Performance May Be Indicative of Future Results - The Legal Implica...
When Past Performance May Be Indicative of Future Results - The Legal Implica...
 
PLA Legal aspects of Big Data analytics final
PLA Legal aspects of Big Data analytics finalPLA Legal aspects of Big Data analytics final
PLA Legal aspects of Big Data analytics final
 
Paperless Lab Academy 'legal aspects of big data analytics'
Paperless Lab Academy 'legal aspects of big data analytics' Paperless Lab Academy 'legal aspects of big data analytics'
Paperless Lab Academy 'legal aspects of big data analytics'
 
A Case for Expectation Informed Design
A Case for Expectation Informed DesignA Case for Expectation Informed Design
A Case for Expectation Informed Design
 
Use of data in safe havens: ethics and reproducibility issues
Use of data in safe havens: ethics and reproducibility issuesUse of data in safe havens: ethics and reproducibility issues
Use of data in safe havens: ethics and reproducibility issues
 
Forecast 2014: eDiscovery and Forensics
Forecast 2014: eDiscovery and Forensics Forecast 2014: eDiscovery and Forensics
Forecast 2014: eDiscovery and Forensics
 
Dataprotectionactnew13 12-11-111213033116-phpapp02
Dataprotectionactnew13 12-11-111213033116-phpapp02Dataprotectionactnew13 12-11-111213033116-phpapp02
Dataprotectionactnew13 12-11-111213033116-phpapp02
 
Making ‘Big Data’ Your Ally – Using data analytics to improve compliance, due...
Making ‘Big Data’ Your Ally – Using data analytics to improve compliance, due...Making ‘Big Data’ Your Ally – Using data analytics to improve compliance, due...
Making ‘Big Data’ Your Ally – Using data analytics to improve compliance, due...
 
Librarian RDM Training: Ethics and copyright for research data
Librarian RDM Training: Ethics and copyright for research dataLibrarian RDM Training: Ethics and copyright for research data
Librarian RDM Training: Ethics and copyright for research data
 
Clare Sanderon, IG Solutions
Clare Sanderon, IG SolutionsClare Sanderon, IG Solutions
Clare Sanderon, IG Solutions
 
Privacy & Data Ethics
Privacy & Data EthicsPrivacy & Data Ethics
Privacy & Data Ethics
 
Data Protection & Risk Management
Data Protection & Risk Management Data Protection & Risk Management
Data Protection & Risk Management
 
Data Governance in two different data archives: When is a federal data reposi...
Data Governance in two different data archives: When is a federal data reposi...Data Governance in two different data archives: When is a federal data reposi...
Data Governance in two different data archives: When is a federal data reposi...
 
Scaling up learning analytics solutions: Is privacy a show-stopper?
Scaling up learning analytics solutions: Is privacy a show-stopper?Scaling up learning analytics solutions: Is privacy a show-stopper?
Scaling up learning analytics solutions: Is privacy a show-stopper?
 
Privacy issues in data analytics
Privacy issues in data analyticsPrivacy issues in data analytics
Privacy issues in data analytics
 
An itinerary for FAIR and privacy respecting data-driven innovation and research
An itinerary for FAIR and privacy respecting data-driven innovation and researchAn itinerary for FAIR and privacy respecting data-driven innovation and research
An itinerary for FAIR and privacy respecting data-driven innovation and research
 
Governance And Data Protection In The Health Sector - Billy Hawkes
Governance And Data Protection In The Health Sector - Billy HawkesGovernance And Data Protection In The Health Sector - Billy Hawkes
Governance And Data Protection In The Health Sector - Billy Hawkes
 
Legal and ethical considerations for sharing research data
Legal and ethical considerations for sharing research dataLegal and ethical considerations for sharing research data
Legal and ethical considerations for sharing research data
 
The death of data protection sans obama
The death of data protection sans obamaThe death of data protection sans obama
The death of data protection sans obama
 

Mehr von Brussels Legal Hackers

20190528 - Guidelines for Trustworthy AI
20190528 - Guidelines for Trustworthy AI20190528 - Guidelines for Trustworthy AI
20190528 - Guidelines for Trustworthy AIBrussels Legal Hackers
 
20190423 PRiSE model to tackle data protection impact assessments and data pr...
20190423 PRiSE model to tackle data protection impact assessments and data pr...20190423 PRiSE model to tackle data protection impact assessments and data pr...
20190423 PRiSE model to tackle data protection impact assessments and data pr...Brussels Legal Hackers
 
20190316 - CLBFest - Blockchain & the law - Willem Van de Wiele
20190316 - CLBFest - Blockchain & the law - Willem Van de Wiele20190316 - CLBFest - Blockchain & the law - Willem Van de Wiele
20190316 - CLBFest - Blockchain & the law - Willem Van de WieleBrussels Legal Hackers
 
20190316 - CLBFest - Blockchain is WTF - Gerrie Smits
20190316 - CLBFest - Blockchain is WTF - Gerrie Smits20190316 - CLBFest - Blockchain is WTF - Gerrie Smits
20190316 - CLBFest - Blockchain is WTF - Gerrie SmitsBrussels Legal Hackers
 
20190316 - CLBFest - 1337 to legal - Koen Vingerhoets
20190316 - CLBFest - 1337 to legal - Koen Vingerhoets20190316 - CLBFest - 1337 to legal - Koen Vingerhoets
20190316 - CLBFest - 1337 to legal - Koen VingerhoetsBrussels Legal Hackers
 
20190316 - CLBFest - GDPR & Blockchain - Axel Beelen
20190316 - CLBFest - GDPR & Blockchain - Axel Beelen20190316 - CLBFest - GDPR & Blockchain - Axel Beelen
20190316 - CLBFest - GDPR & Blockchain - Axel BeelenBrussels Legal Hackers
 
20190316 - CLBFest - Cryptocurrencies and tax - Hendrik Putman
20190316 - CLBFest - Cryptocurrencies and tax - Hendrik Putman20190316 - CLBFest - Cryptocurrencies and tax - Hendrik Putman
20190316 - CLBFest - Cryptocurrencies and tax - Hendrik PutmanBrussels Legal Hackers
 
20190221 Algorithmic transparency and accountability in practice
20190221 Algorithmic transparency and accountability in practice20190221 Algorithmic transparency and accountability in practice
20190221 Algorithmic transparency and accountability in practiceBrussels Legal Hackers
 
20180619 Controller-to-Processor agreements
20180619 Controller-to-Processor agreements20180619 Controller-to-Processor agreements
20180619 Controller-to-Processor agreementsBrussels Legal Hackers
 
20171108 IAPP Congress - Privacy by Design presentation
20171108 IAPP Congress - Privacy by Design presentation20171108 IAPP Congress - Privacy by Design presentation
20171108 IAPP Congress - Privacy by Design presentationBrussels Legal Hackers
 
20171106 - Privacy Design Lab - LINDDUN
20171106 - Privacy Design Lab - LINDDUN20171106 - Privacy Design Lab - LINDDUN
20171106 - Privacy Design Lab - LINDDUNBrussels Legal Hackers
 
20170601 - Digital festival presentation
20170601 - Digital festival presentation20170601 - Digital festival presentation
20170601 - Digital festival presentationBrussels Legal Hackers
 
20170620 MEETUP intro to blockchain and smart contracts (2)
20170620 MEETUP intro to blockchain and smart contracts (2)20170620 MEETUP intro to blockchain and smart contracts (2)
20170620 MEETUP intro to blockchain and smart contracts (2)Brussels Legal Hackers
 
20170620 MEETUP smart contracts proof of concept for prescriptions
20170620 MEETUP smart contracts proof of concept for prescriptions20170620 MEETUP smart contracts proof of concept for prescriptions
20170620 MEETUP smart contracts proof of concept for prescriptionsBrussels Legal Hackers
 
20170620 MEETUP intro to blockchain and smart contracts (1)
20170620 MEETUP intro to blockchain and smart contracts (1)20170620 MEETUP intro to blockchain and smart contracts (1)
20170620 MEETUP intro to blockchain and smart contracts (1)Brussels Legal Hackers
 
20170122 MEETUP on autonomous vehicles
20170122 MEETUP on autonomous vehicles20170122 MEETUP on autonomous vehicles
20170122 MEETUP on autonomous vehiclesBrussels Legal Hackers
 

Mehr von Brussels Legal Hackers (20)

20190528 - Guidelines for Trustworthy AI
20190528 - Guidelines for Trustworthy AI20190528 - Guidelines for Trustworthy AI
20190528 - Guidelines for Trustworthy AI
 
20190423 PRiSE model to tackle data protection impact assessments and data pr...
20190423 PRiSE model to tackle data protection impact assessments and data pr...20190423 PRiSE model to tackle data protection impact assessments and data pr...
20190423 PRiSE model to tackle data protection impact assessments and data pr...
 
20190316 - CLBFest - Blockchain & the law - Willem Van de Wiele
20190316 - CLBFest - Blockchain & the law - Willem Van de Wiele20190316 - CLBFest - Blockchain & the law - Willem Van de Wiele
20190316 - CLBFest - Blockchain & the law - Willem Van de Wiele
 
20190316 - CLBFest - Blockchain is WTF - Gerrie Smits
20190316 - CLBFest - Blockchain is WTF - Gerrie Smits20190316 - CLBFest - Blockchain is WTF - Gerrie Smits
20190316 - CLBFest - Blockchain is WTF - Gerrie Smits
 
20190316 - CLBFest - 1337 to legal - Koen Vingerhoets
20190316 - CLBFest - 1337 to legal - Koen Vingerhoets20190316 - CLBFest - 1337 to legal - Koen Vingerhoets
20190316 - CLBFest - 1337 to legal - Koen Vingerhoets
 
20190316 - CLBFest - GDPR & Blockchain - Axel Beelen
20190316 - CLBFest - GDPR & Blockchain - Axel Beelen20190316 - CLBFest - GDPR & Blockchain - Axel Beelen
20190316 - CLBFest - GDPR & Blockchain - Axel Beelen
 
20190316 - CLBFest - Cryptocurrencies and tax - Hendrik Putman
20190316 - CLBFest - Cryptocurrencies and tax - Hendrik Putman20190316 - CLBFest - Cryptocurrencies and tax - Hendrik Putman
20190316 - CLBFest - Cryptocurrencies and tax - Hendrik Putman
 
20190221 Algorithmic transparency and accountability in practice
20190221 Algorithmic transparency and accountability in practice20190221 Algorithmic transparency and accountability in practice
20190221 Algorithmic transparency and accountability in practice
 
20180619 Controller-to-Processor agreements
20180619 Controller-to-Processor agreements20180619 Controller-to-Processor agreements
20180619 Controller-to-Processor agreements
 
20180607 - Tech Summit presentation
20180607 - Tech Summit presentation20180607 - Tech Summit presentation
20180607 - Tech Summit presentation
 
20180317 CLBfest 2018 - Trase
20180317 CLBfest 2018 - Trase20180317 CLBfest 2018 - Trase
20180317 CLBfest 2018 - Trase
 
20171108 IAPP Congress - Privacy by Design presentation
20171108 IAPP Congress - Privacy by Design presentation20171108 IAPP Congress - Privacy by Design presentation
20171108 IAPP Congress - Privacy by Design presentation
 
20171106 - Privacy Design Lab - LINDDUN
20171106 - Privacy Design Lab - LINDDUN20171106 - Privacy Design Lab - LINDDUN
20171106 - Privacy Design Lab - LINDDUN
 
20170601 - Digital festival presentation
20170601 - Digital festival presentation20170601 - Digital festival presentation
20170601 - Digital festival presentation
 
20170801 GDPR Q&A intro
20170801 GDPR Q&A intro20170801 GDPR Q&A intro
20170801 GDPR Q&A intro
 
20170620 MEETUP intro to blockchain and smart contracts (2)
20170620 MEETUP intro to blockchain and smart contracts (2)20170620 MEETUP intro to blockchain and smart contracts (2)
20170620 MEETUP intro to blockchain and smart contracts (2)
 
20170620 MEETUP smart contracts proof of concept for prescriptions
20170620 MEETUP smart contracts proof of concept for prescriptions20170620 MEETUP smart contracts proof of concept for prescriptions
20170620 MEETUP smart contracts proof of concept for prescriptions
 
20170620 MEETUP intro to blockchain and smart contracts (1)
20170620 MEETUP intro to blockchain and smart contracts (1)20170620 MEETUP intro to blockchain and smart contracts (1)
20170620 MEETUP intro to blockchain and smart contracts (1)
 
20170418 MEETUP on Creative Commons
20170418 MEETUP on Creative Commons20170418 MEETUP on Creative Commons
20170418 MEETUP on Creative Commons
 
20170122 MEETUP on autonomous vehicles
20170122 MEETUP on autonomous vehicles20170122 MEETUP on autonomous vehicles
20170122 MEETUP on autonomous vehicles
 

Kürzlich hochgeladen

Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)Jisc
 
Making communications land - Are they received and understood as intended? we...
Making communications land - Are they received and understood as intended? we...Making communications land - Are they received and understood as intended? we...
Making communications land - Are they received and understood as intended? we...Association for Project Management
 
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdfUGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdfNirmal Dwivedi
 
The basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxThe basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxheathfieldcps1
 
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsIntroduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsTechSoup
 
ICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptxICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptxAreebaZafar22
 
Dyslexia AI Workshop for Slideshare.pptx
Dyslexia AI Workshop for Slideshare.pptxDyslexia AI Workshop for Slideshare.pptx
Dyslexia AI Workshop for Slideshare.pptxcallscotland1987
 
Seal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptxSeal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptxnegromaestrong
 
Magic bus Group work1and 2 (Team 3).pptx
Magic bus Group work1and 2 (Team 3).pptxMagic bus Group work1and 2 (Team 3).pptx
Magic bus Group work1and 2 (Team 3).pptxdhanalakshmis0310
 
Python Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docxPython Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docxRamakrishna Reddy Bijjam
 
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...christianmathematics
 
Unit-IV; Professional Sales Representative (PSR).pptx
Unit-IV; Professional Sales Representative (PSR).pptxUnit-IV; Professional Sales Representative (PSR).pptx
Unit-IV; Professional Sales Representative (PSR).pptxVishalSingh1417
 
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...pradhanghanshyam7136
 
SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptx
SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptxSKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptx
SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptxAmanpreet Kaur
 
Key note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfKey note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfAdmir Softic
 
ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.MaryamAhmad92
 
Micro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdfMicro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdfPoh-Sun Goh
 
Application orientated numerical on hev.ppt
Application orientated numerical on hev.pptApplication orientated numerical on hev.ppt
Application orientated numerical on hev.pptRamjanShidvankar
 
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in DelhiRussian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhikauryashika82
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdfQucHHunhnh
 

Kürzlich hochgeladen (20)

Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)
 
Making communications land - Are they received and understood as intended? we...
Making communications land - Are they received and understood as intended? we...Making communications land - Are they received and understood as intended? we...
Making communications land - Are they received and understood as intended? we...
 
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdfUGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
 
The basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxThe basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptx
 
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsIntroduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The Basics
 
ICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptxICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptx
 
Dyslexia AI Workshop for Slideshare.pptx
Dyslexia AI Workshop for Slideshare.pptxDyslexia AI Workshop for Slideshare.pptx
Dyslexia AI Workshop for Slideshare.pptx
 
Seal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptxSeal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptx
 
Magic bus Group work1and 2 (Team 3).pptx
Magic bus Group work1and 2 (Team 3).pptxMagic bus Group work1and 2 (Team 3).pptx
Magic bus Group work1and 2 (Team 3).pptx
 
Python Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docxPython Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docx
 
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
 
Unit-IV; Professional Sales Representative (PSR).pptx
Unit-IV; Professional Sales Representative (PSR).pptxUnit-IV; Professional Sales Representative (PSR).pptx
Unit-IV; Professional Sales Representative (PSR).pptx
 
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
 
SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptx
SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptxSKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptx
SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptx
 
Key note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfKey note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdf
 
ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.
 
Micro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdfMicro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdf
 
Application orientated numerical on hev.ppt
Application orientated numerical on hev.pptApplication orientated numerical on hev.ppt
Application orientated numerical on hev.ppt
 
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in DelhiRussian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf
 

20190221 Data subject rights in practice

  • 1. Data Subject’s Rights in Practice Facts, figures, design, practice Pierre Dewitte, Jef Ausloos & Laurens Naudts pierre.dewitte@kuleuven.be; jef.ausloos@kuleuven.be; laurens.naudts@kuleuven.be @PiDewitte; @Jausl00s @RoboNaudts
  • 2. 2 • Background to Data Subject Rights Jef • Empirically Testing the Right of Access Pierre • Empirically Testing the Right to an Explanation Laurens Overview
  • 3. Background to Data Subject Rights Jef Ausloos Empower all the people !
  • 4. 4 Data Subject Rights – C’est quoi? Ex Ante Ex Post Protective Measures E.g. Data Quality Principles E.g. DPA Enforcement Empowerment Measures E.g. Consent E.g. Data Subject Rights
  • 5. 5 • Integral to data protection discussions since 1960’s • Data Protection Directive 1995 • Charter of Fundamental Rights 2000 • GDPR 2016 Brief History of Data Subject Rights
  • 6. 6 • Art.12: Modalities • Art.13-14: Transparency • Art.15: Access • Art.16: Rectification • Art.17: Erasure • Art.18: Restriction • Art.20: Portability • Art.21: Right to Object • Art.22: Automated Decision-Making Data Subject Rights
  • 7. 7 • Right of access = pivotal • Guaranteeing accountability/responsibility/compliance • Enabling other DS rights • Guaranteeing other legal rights • Research tool • Fleshed out in GDPR Zooming in on the Right of Access
  • 8. 8
  • 9. 9 • Right of access = pivotal • Guaranteeing accountability/responsibility/compliance • Enabling other DS rights • Guaranteeing other legal rights • Research tool • Fleshed out in GDPR • Modalities Zooming in on the Right of Access
  • 10. 10
  • 11. 11 • Nice in theory, but… • General assumption that these rights are • Inefficient • Underused • Ignored • Not much empirical data substantiating this Data Subject Rights in Practice ssrn.com/abstract=3106632
  • 12. Empirically Testing the Right of Access Pierre Dewitte
  • 13. • During academic year 2016-2017, legal-empirical study on the right of access (Art. 15 GDPR) o Registration and use of 66 online service providers o Analysis of each service’s privacy policy o Generic initial request for access o In-depth follow-up request to obtain a satisfactory answer • Participants: 1 CiTiP researcher, 3 students involved in the KU Leuven advanced Master in IP and IT Law • Findings compiled in surveys at every step of the empirical study • Results and analysis published: o In IDPL 8(1), February 2018 o As CiTiP Working Paper on SSRN Empirical study on the right of access Ausloos & Dewitte, 'Shattering One-Way Mirrors. The Right of Access in Practice', IDPL 8(1) available at <https://academic.oup.com/idpl/article/8/1/4/4922871>
  • 14. • Overview of the investigated sectors Empirical study on the right of access Ausloos & Dewitte, 'Shattering One-Way Mirrors. The Right of Access in Practice', IDPL 8(1) available at <https://academic.oup.com/idpl/article/8/1/4/4922871>
  • 15. • Some findings on the privacy policies (accessibility) Empirical study on the right of access Number of clicks it takes to get from the homepage to the privacy policy Ausloos & Dewitte, 'Shattering One-Way Mirrors. The Right of Access in Practice', IDPL 8(1) available at <https://academic.oup.com/idpl/article/8/1/4/4922871>
  • 16. • Some findings on the privacy policies (completeness) Empirical study on the right of access Information provided by controllers in their privacy policy Ausloos & Dewitte, 'Shattering One-Way Mirrors. The Right of Access in Practice', IDPL 8(1) available at <https://academic.oup.com/idpl/article/8/1/4/4922871>
  • 17. • Some findings on the filing of the initial request (mention of RoA) Empirical study on the right of access Specific mention of the right of access in the privacy policy Ausloos & Dewitte, 'Shattering One-Way Mirrors. The Right of Access in Practice', IDPL 8(1) available at <https://academic.oup.com/idpl/article/8/1/4/4922871>
  • 18. • Some findings on the filing of the initial request (modalities) Empirical study on the right of access Specific ways mentioned in the privacy policy to exercise the right of access Ausloos & Dewitte, 'Shattering One-Way Mirrors. The Right of Access in Practice', IDPL 8(1) available at <https://academic.oup.com/idpl/article/8/1/4/4922871>
  • 19. • Some findings on the follow-up request (answers) Empirical study on the right of access 74% 26% Number of controllers who responded to our initial request Ausloos & Dewitte, 'Shattering One-Way Mirrors. The Right of Access in Practice', IDPL 8(1) available at <https://academic.oup.com/idpl/article/8/1/4/4922871>
  • 20. • Some findings on the follow-up request (delay) Empirical study on the right of access Days controllers took to respond to the initial request (other than confirmation of receipt) Ausloos & Dewitte, 'Shattering One-Way Mirrors. The Right of Access in Practice', IDPL 8(1) available at <https://academic.oup.com/idpl/article/8/1/4/4922871>
  • 21. • Some findings on the follow-up request (information provided) Empirical study on the right of access Information provided following the access request Ausloos & Dewitte, 'Shattering One-Way Mirrors. The Right of Access in Practice', IDPL 8(1) available at <https://academic.oup.com/idpl/article/8/1/4/4922871>
  • 22. • Some findings on the follow-up request (medium) Empirical study on the right of access Medium used to provide the answers Ausloos & Dewitte, 'Shattering One-Way Mirrors. The Right of Access in Practice', IDPL 8(1) available at <https://academic.oup.com/idpl/article/8/1/4/4922871>
  • 23. • Some findings on the follow-up request (misunderstanding) o Many controllers referred to their privacy policy o Some of them mentioned the possibility to edit our profile via the service itself (name, address, etc.) o Others did not know the existence of the right of access at all and questioned us to obtain more information Empirical study on the right of access Ausloos & Dewitte, 'Shattering One-Way Mirrors. The Right of Access in Practice', IDPL 8(1) available at <https://academic.oup.com/idpl/article/8/1/4/4922871>
  • 24. • Some findings on the follow-up request (irritation, bad faith) o Some controllers reacted with suspicion, irritation, reluctance and even bad faith to our access request Empirical study on the right of access (…) All required information is made available in our privacy policy. If you think it’s insufficient or believe ***** is not trustworthy, we’re happy to delete your account and all related data. If you would like to use the site, then you automatically accept our user agreement and privacy policy. (…) We receive this type of question once or twice a year, and it always comes from people who have no intention of being active on *****. So if you have a real concern, we’re happy to explain more info Ausloos & Dewitte, 'Shattering One-Way Mirrors. The Right of Access in Practice', IDPL 8(1) available at <https://academic.oup.com/idpl/article/8/1/4/4922871>
  • 25. • Some findings on the follow-up request (irritation, bad faith) o Some controllers reacted with suspicion, irritation, reluctance and even bad faith to our access request Empirical study on the right of access This type of legislation is the reason we incorporated ***** in the US and not in *****. In reality, real users never ask for this type of information. They just delete their account. Our work is to ***** in the most trustworthy way. We have now deleted your account and have no data on file anymore, apart from this email in a separate customer support system. We have hereby fulfilled your request. And for all clarity: we treat real users and their privacy with the utmost respect. But we don’t spend expensive resources to respond to frivolous requests Ausloos & Dewitte, 'Shattering One-Way Mirrors. The Right of Access in Practice', IDPL 8(1) available at <https://academic.oup.com/idpl/article/8/1/4/4922871>
  • 26. Lack of awareness Lack of organization Lack of motivation Lack of harmonization Empirical study on the right of access Ausloos & Dewitte, 'Shattering One-Way Mirrors. The Right of Access in Practice', IDPL 8(1) available at <https://academic.oup.com/idpl/article/8/1/4/4922871>
  • 27. • GDPR, paradigm shift? o More information to be provided: Article 12(a) DPD v. 15(1) GDPR o Well-defined practical modalities: Article 12(a) DPD v. 12 GDPR o Mandatory appointment of a DPO if certain conditions are met o Introduction of Data Protection by Design (see infra) o Guidance from national supervisory authorities or EDPD o Awaited codes of conducts and certification mechanisms o Heavier fines as a driver o Market-driven incentives o Awareness-raising effect of the GDPR o Civil society initiatives (Usable Privacy, Polisis, Data Rights Finder,…) Empirical study on the right of access A bright future for transparency, the right of access and user empowerment in general? Ausloos & Dewitte, 'Shattering One-Way Mirrors. The Right of Access in Practice', IDPL 8(1) available at <https://academic.oup.com/idpl/article/8/1/4/4922871>
  • 28. Empirically Testing the Right to an Explanation Laurens Naudts
  • 29. • Increasing use of algorithms impacting our daily lives o Both online (e.g. tailored newsfeed on social media, targeted advertising) and offline (e.g. smart cities) • GDPR includes a so-called ‘right to explanation’ of decisions based solely on automated processing. Spread across several provisions: o Transparency requirements: Art. 13(2)f and 14(2)g o Right of access: Art. 15(1)g o Specific provision: Art. 22(3) and Rec. 71 • How this specific provision is interpreted and accommodated in practice by controllers remains largely unknown o Ex ante explanation of how the system works? o Ex post explanation on how a specific decision was reached? Empirical study on the so-called ‘right to explanation’ Algorithmic Transparency and Accountability in Practice (ATAP), KU Leuven CiTiP and MintLab, <https://www.law.kuleuven.be/citip/en/research/projects/ongoing/atap>
  • 30. • During academic year 2018-2019, legal-empirical study on the ‘right to explanation’ of decisions taken by news recommender systems o First-party content providers (e.g. newspaper website) o News aggregators (e.g. Flipboard) o Social media (e.g. Twitter) • Participants: 5 CiTiP researchers, 3 MintLab researchers, 4 students involved in the KU Leuven advanced Master in IP and IT Law Empirical study on the so-called ‘right to explanation’ Desktop research Empirical research Design research Target policy- makers and UI Designers Algorithmic Transparency and Accountability in Practice (ATAP), KU Leuven CiTiP and MintLab, <https://www.law.kuleuven.be/citip/en/research/projects/ongoing/atap>
  • 31. 31 • Complexity • Technical Level • Expert knowledge required in order to understand and translate recommender systems, • Dependent on target audience • Data Level • Explanation requires insight into the entire automated chain • Legal Level • Disparity amongst legal instruments available to the data subject • Data Administration might lead to Indifference or Fatigue • Intellectual Property versus Granularity • Design Level • Different ‘Recommender Purposes’ require Different Explanations Challenges to Explanations and Transparency
  • 32. Fight for your rights! (You’re not alone)
  • 33. • To exercise data subject’s rights: o https://www.mydatadoneright.eu/: helps individuals to exercise their rights (access, erasure, rectification, portability) o https://www.personaldata.io: helps with in-depth/complicated access requests (e.g. Tinder ‘hotness factor’, Facebook Hive data, Uber data, Deliveroo data etc.) • To better understand privacy policies: o https://www.datarightsfinder.org/: summarises privacy policies and assists with the drafting of requests (focus on financial services) o https://www.usableprivacy.org/: summarises human- and machine annotated privacy policies o https://pribot.org/polisis: AI-powered privacy policy analysis Assistance along the way
  • 34. Thanks for your attention! KU Leuven Centre for IT & IP Law (CiTiP) – imec www.law.kuleuven.be/citip

Hinweis der Redaktion

  1. Mention link to paper. Mention other initiatives in the field of privacy policy analysis: Jamila Venturini, Luiza Louzada, Marilia Maciel, Nicolo Zingales, Konstantinos Stylianou, Luca Belli, Terms of Service and Human Rights: an Analysis of Online Platform Contracts (Revan 2016) <http://internet-governance.fgv.br/sites/internet-governance.fgv.br/files/publicacoes/terms_of_services_06_12_2016.pdf> accessed 19 October 2017; Brendan Van Alsenoy, Valerie Verdoodt, Rob Heyman, Jef Ausloos, Ellen Wauters, ‘From social media service to advertising network. A critical analysis of Facebook’s Revised Policies and Terms’, 25 February 2015 <https://www.law.kuleuven.be/citip/en/news/item/facebooks-revised-policies-and-terms-v1-2.pdf> access 19 October 2017 Habib H and others, ‘An Empirical Analysis of Website Data Deletion and Opt-Out Choices’ (2018) Kumar P, ‘Privacy Policies and Their Lack of Clear Disclosure Regarding the Life Cycle of User Information’, 2016 AAAI Fall Symposium Series (2016)
  2. In deliberation with these students, a selection of 66 commonly used (across the EU) information society service providers was made.
  3. While a vast majority (80%) of investigated privacy policies were reached in only one or two clicks from the homepage (fig.2), the process was still rated “difficult” to “very difficult” in 31% of instances, The most important reasons in those 31% were: Poor design, e.g. by not following today’s widespread standard of placing a hyperlink to the privacy section at the bottom of every page; The fact that information relating to privacy and data protection were also lumped together with the provider’s general terms and conditions; The fact that information relating to the privacy policy were hidden behind a vaguely or wrongly-titled link such as “Legal terms” or “Cookies policy”.
  4. List of information to be provided for by controllers is not a novelty of the GDPR: Already in Articles 11-12 DPD Now in Articles 13-14 GDPR (expanded list)
  5. Two main questions were assessed: (i) is the right of access specifically mentioned? and (ii) where/how should such a request be sent?: Regarding the first question, it is worth recalling that Articles 10(c) and 11(1)c of Directive 95/46 (Artt. 13(2)b and 14(2)c GDPR) oblige controllers to mention the existence of such a prerogative in their privacy policy. Regarding the second question, it is worth recalling that, while failing to specify the practical modalities for exercising the right of access may not violate Directive 95/46, this is likely to change with the GDPR which obliges controllers to “facilitate the exercise of data subject rights under Articles 15 to 22”. It can therefore reasonably be assumed that providing a clear procedural scheme to data subjects willing to exercise their right of access will be part of controllers’ new set of duties under the GDPR. Art. 12(2) GDPR. The exact meaning of what will constitute a facilitative practice is not clear today. This will be further specified by national DPAs, national courts and the European Data Protection Board once the GDPR enters into force.
  6. Virtually all providers are collecting non-registered users’ personal data as well (even if only through installing cookies or collecting IP addresses when visiting their website). Nevertheless, many only allow an access request to be filed through a contact point made exclusively available to registered users. In such situations finding alternative means of reaching the controller can often be considered unreasonable and disproportionate, not to mention using such alternative means may often prove ineffective.
  7. After five months, when it was decided to bring the empirical study to an end, only 74% of the investigated online service providers had responded, whether with a satisfying answer or not. In other words, 26% of them remained completely silent despite multiple reminders. As a result, the amount of responses being assessed as part of the empirical study was already reduced by a quarter compared to the number of providers contacted,
  8. The delay in responding to queries also appeared problematic in a significant number of cases. 56% of responses arrived more than 30 days after the initial request had been sent (fig.10). At the time of the empirical research, legal time limits depended on national implementing acts. This will, however, no longer be the case once the GDPR enters into force.
  9. Most of the time, either: Basic and therefore not exhaustive enough (contra Art. 15(1) GDPR); Complex and therefore not easily legible (contra Art. 12(1) GDPR).
  10. Confusion between access and erasure;
  11. - Even proactive erasure while not requested;
  12. Lack of awareness (unaware of the existence of DP law, misunderstanding about the basic notions such as ‘personal data’ or the territorial scope of application) Lack of organization (no department or team in charge of DP issues, no procedure for handling data subject’s rights technical constraints due to the way controllers were handling their datasets) Lack of motivation (see example supra) Lack of harmonization (at the time, national implementations of DPD relevant for time limits, exception to data subject’s rights, modalities, etc.), Partially lifted under GDPR, at least when it comes to the modalities surrounding the exercise of data subject’s rights.
  13. More information to be provided (e.g. retention period, existence of rights, right to lodge a compliant with a supervisory authority, information on transfers to third countries, etc.). Well-defined practical modalities (e.g. free of charge, one month time limit, form of request, form of answer, intelligibility) DPO: remedy the lack of awareness DPbD: The empirical study has indeed demonstrated that a significant number of controllers struggled to even identify and locate the requested pieces of information. This could be avoided by developing/reconfiguring their systems in such a way to facilitate the retrieval of relevant data in a secure and individualised way. Indeed, their systems should be designed in a way that enables the exercise of data subject rights. Ideally, this would go as far as to actively facilitate exercising such rights, for example through automating the process and ensuring information is machine-readable and interoperable (cf. Art.20 on the right to data portability). Easier said than done, but cornerstone. Guidance from national SA or EDPB in terms of templates, scenario-based approach (parallel critical infrastructure in air law). Codes of conducts for addressing data subjects’ rights (Art. 40(2)f), certification mechanisms to make it more scalable Yet, looking at how similar instruments have worked in other sectors (e.g. financial industry), some scepticism as to their added value seems warranted.
  14. Mention link to the project. Art. 22(1): automated decision-making = ‘a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her’. Art. 13(2)f and 14(2) (privacy policy; ex ante basis): Existence of automated decision-making; At least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject; In other cases, also possible but not mandatory. Art. 15(1)h (right, ex post basis): Existence of automated decision-making; At least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject; In other cases, also possible but not mandatory. Art. 22(3): Only in case of automated decision-making based on contract or consent, obligation for the controller to implement suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision (+ Rec. 71: obtain an explanation).
  15. Desktop research (legal scholarship; HCI scholarship; interdisciplinary problem formulation) Empirical research (setting-up; conduct; interdisciplinary analysis of the results) Design research (organisation of co-design workshops; creation of interface prototypes; experimentation assessing the impact of the prototypes on users’ comprehension) Recommendations (development of a teaching module; drafting of evidence-based recommendations for regulators, policy-makers and designers; valorisation) Traditional legal desktop research, mapping and summarising the relevant literature on the right to explanation in EU data protection law. OUTPUT: chapter to be incorporated into Deliverable 1   Literature review of research on the design and evaluation of transparent algorithmic systems, documenting best practices and guidelines as input for WP3 OUTPUT: chapter to be incorporated into Deliverable 1   Combine insights gained in Tasks 1.1. and 1.2. so as to come to a more holistic problem statement. OUTPUT: Deliverable 1 - Mapping key challenges to the right to an explanation, an interdisciplinary approach.   Work Package 2. Empirical Research (M3-11). Lead: CiTiP This task consists of all necessary preparations to enable data gathering in T2.2. Drafting list of questions to be investigated, building on T1.3.; identify relevant actors to be investigated; develop online surveys for easy and centralised data gathering. The actual implementation of the scripts and lists of questions will be done in collaboration with PersonalData.io. OUTPUT: surveys, research script.   Conducting the actual empirical research, consisting of contacting online service providers and assess their compliance strategies for accommodating the right to explanation. OUTPUT: excel sheets, comprehensively mapping all gathered data.   Interdisciplinary analysis of the results, to identify key issues. OUTPUT: joint report, co-authored between CiTiP/MintLab).   Work Package 3. Design Research (M7-16). Lead: Mintlab Using input from WP1 and WP2, as well as from a sensitising activity (diary study), two co-design workshops will be organised with 20 end-users. OUTPUT: user experience of algorithmic systems; list of elements that are to be made transparent).   Based on the outcome of T3.1, several interface prototypes will be created that offer different variations of algorithmic transparency. OUTPUT: interactive medium-fidelity prototypes.   Using prototypes created in T3.2, several between-subjects experiments will be set-up to assess the impact of the various interface designs on the users’ comprehension, acceptance and trust of the prototypes. OUTPUT: detailed analysis of impact of interface elements on user ratings. Work Package 4:  
  16. Mention link to the project. Art. 22(1): automated decision-making = ‘a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her’. Art. 13(2)f and 14(2) (privacy policy; ex ante basis): Existence of automated decision-making; At least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject; In other cases, also possible but not mandatory. Art. 15(1)h (right, ex post basis): Existence of automated decision-making; At least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject; In other cases, also possible but not mandatory. Art. 22(3): Only in case of automated decision-making based on contract or consent, obligation for the controller to implement suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision (+ Rec. 71: obtain an explanation).