Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Digitisation, democracy and the regulation of personal data use for political purposes christian d-cunha

28 views

Published on

Presentation by Christian D'Cunha at the 2019 CMPF Summer School for Journalists and Media Practitioners - Covering Political Campaigns in the Age of Data, Algorithms & Artificial Intelligence

Published in: Education
  • Be the first to comment

  • Be the first to like this

Digitisation, democracy and the regulation of personal data use for political purposes christian d-cunha

  1. 1. Digitisation, Democracy and Data Protection Christian D’Cunha 26.6.2019 1
  2. 2. 1. Data protection: A Primer 2
  3. 3. Colours Comprehensive Public only Private only Mainly private Lower level regulation Data Protection laws now in 132 countries Based on presentation by G.Greenleaf: Overview: Global developments in data privacy laws, September 2018
  4. 4. Regulatory oversight •Direct applicable •One Stop Shop with lead data protection authority (DPA) for cross border cases •Local DPAs for local matters •Administrative fines up to 2% or 4% of annual worldwide turnover •Individual actions, claims for damages •Collective actions •Criminal sanctions (in national laws) Scope of application •Extraterritorial application to non-EU based companies •Broader definition of personal data and sensitive data, new data categories Accountability •Information obligations •Data protection by design •Data security and data breach notification •Data processor agreements •Data Protection Officer •International data transfers •Code of Conduct/Certification •Documentation •Scalability/ risk-based Strengthened rights of individuals •Right to access •Right to deletion •Right to data portability •Right not to be subject to automated processing, including profiling •Right to object EU GDPR – Overview 4
  5. 5. What is different? • Territorial scope • Consent (controller has burden of proof, can be withdrawn at any time); • Must be freely given, specific, informed and unambiguous • Requires a statement or clear affirmative action • Right to data portability: transfer data to another controller in structured and commonly used and machine readable format • Right not to be subject to automated decision making which produces legal effects, including profiling: exemptions • ‘profiling’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements • Data breach notification obligation • to competent data protection authority no later than 72 hours (unless breach is unlikely to result in risk for rights and freedoms of individuals) • To affected individuals (if high risks to their rights and freedoms) without undue delay, exemption if data encrypted • data controllers must maintain an internal data breach register 5
  6. 6. GDPR central casting 1. Controllers  Scalable obligations  Special regimes and exceptions eg scientific research, religious organisations, purposes of journalistic or academic/artistic/ literary expression 2. Data subjects 3. Independent supervisory authorities …. 4. Processors 5. Third parties 6
  7. 7. Beyond individual rights Data protection is needed not only ‘for personal development of those individuals’ but also to avoid ‘detriment to the public good… since self- determination is an elementary prerequisite the functioning of a free democratic society predicated on the freedom of action and participation of its members’ German Federal Constitutional Court in 1983 census ruling 7
  8. 8. 2. The datafication of everything 8
  9. 9. • Adtech • Wifi tracking • Cross device tracking • Smart devices / IoT • Health monitoring apps …. 9
  10. 10. Adtech - complexity and volume Source: Brave 10
  11. 11. Adtech - sensitive data Digital records of behaviour can be used to automatically and accurately predict a range of highly sensitive personal attributes David Stilwell, Cambridge University 11
  12. 12. Opacity 12
  13. 13. Journalism declining 13
  14. 14. Political discourse has gone digital (each gatekeeper has unique problems) 14
  15. 15. Dominant business model Track ProfileTarget 15
  16. 16. The misinformation incentive • Two most shared news stories on Facebook in Q1 2019 were false (Lorenz) • Most misinformation spread by humans not bots (Vosoughi et al 2018) • Around 80% of all You Tube views are recommendations (YouTube) • People’s cultural and political predispositions are the source not the outcome of the information they consume (Kahan, 2017) • Fake news is lucrative and legitimate ad support news media rely on the same infrastructure (Braun and Eklund, 2019) 16
  17. 17. Rising market and informational power Economic* Individual rights Societal/ environmental Concentration Diminished choice and control Easy target for malicious actors Fewer start ups / ‘kill zones’/ Lower investment No oxygen for alternative business models and privacy by design CO2 emissions Increasing prices Take it or leave terms of service Local journalism and publishing Diminishing quality Curated internet experience Damage to public discourse and health of democracy Monopsony Dark patterns and exploitation Addiction Worsening inequality Privacy only for the privileged Information and bargaining asymmetries 17 * Based on econfip Policy Brief ‘Confronting Market Power’, Baker and Scott Morton, May 2019
  18. 18. 3. Politics, journalism and data 18
  19. 19. Use of data for political purposes Where in the course of electoral activities, the operation of the democratic system in a Member State requires that political parties compile personal data on people's political opinions, the processing of such data may be permitted for reasons of public interest, provided that appropriate safeguards are established. Recital (56) GDPR  Spanish constitutional court May 2019 – struck down profiling for electoral purposes Romania – national parties can process any data without consent 19
  20. 20. EU elections and data protection • Regulation 493/2019 - up 5% fines for European parties in violation of data protection rules • European Elections Network since September 2018 • EDPB Statement January 2019 20
  21. 21. EDPB Statement 2/2019 on the use of personal data in the course of political campaigns 13 March 2019 • Engaging with voters is inherent to the democratic process. • Politics includes monitoring profiling and targeting – including use of sensitive data • Cambridge Analytica illustrates link between data protection, freedom of expression and freedom to hold opinions, possibility to think freely without manipulation. • Personal data revealing political opinions requires explicit, specific, fully informed, and freely given consent of the individuals. • Data have been made public are still personal • Solely automated decision-making, including profiling, with legal or significant effects (like voting decision) - is restricted. • People should know who and why they are targeted 21
  22. 22. Journalism and data protection • CJEU C-345/17 [14 February 2019] Sergejs Buivids v. Datu valsts inspekcija • notion of ‘journalism’ should be interpreted broadly • exemptions and derogations in Article 9 of Directive 95/46 not only applied to media companies, but to everyone carrying out journalistic activities. • So even if not a journalist under national law he may be able to rely on the derogation for journalistic purposes. • decisive criterion is whether the sole purpose of the recording and the publishing of the video was to disclose information, opinion or comments to the public. Eg in this case – to draw attention to the alleged police malpractice that took place while he was making his statement. • Member States must legislate to reconcile data protection and freedom of expression including processing [not solely] for journalistic purposes • But Member States are not aligned 22
  23. 23. 4. Digitisation and democracy 23
  24. 24. Democracy Freedom House, ‘Freedom in the world 2018’
  25. 25. • Humans vs machines • Defining ‘political’ • Defining ‘journalism’ • Internet as ‘privately run digital intelligence service’ • Rights for those who can afford it • Privatisation of the public – eg Sidewalk Labs 25
  26. 26. 26 ... debate has revolved around the misleading, false or scurrilous information (‘content’) served to people with the intention of influencing political discourse and elections... labelled ‘fake news’ or ‘online disinformation’. Solutions have focused on transparency measures.... while neglecting the accountability of players in the ecosystem who profit from harmful behaviour. ... The diminution of intimate space available to people, as a result of unavoidable surveillance by companies and governments, has a chilling effect on people’s ability and willingness to express themselves and form relationships freely, including in the civic sphere so essential to the health of democracy. This Opinion is therefore concerned with the way personal information is used in order to micro-target individuals and groups with specific content.
  27. 27. 5. Empowerment or repression 27
  28. 28. Future prospects • Social capital (Puttnam 2000) • Bonding • Bridging • Engagement and empowerment • Fragmentation and disruption • Accountability where there is power • Fair and legal data processing is a minimum 28
  29. 29. 29

×