SlideShare a Scribd company logo

20190221 Data subject rights in practice

Download as PPTX, PDF
Brussels Legal Hackers
Brussels Legal Hackers

A combined presentation by - Jef Ausloos (https://twitter.com/Jausl00s): background to data subject rights - Pierre Dewitte (https://twitter.com/PiDewitte): empirically testing the right of access (https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3106632) - Laurens Naudts (https://twitter.com/RoboNaudts): empirically testing the right to an explanation All three are member of the CiTiP embedded in the KULeuven. The event was hosted at the VUB (Vrije Universiteit Brussel) with the collaboration of VRG Brussels.

Education
1 of 34
Data Subject’s Rights in Practice Facts, figures, design, practice Pierre Dewitte, Jef Ausloos & Laurens Naudts pierre.dewitte@kuleuven.be; jef.ausloos@kuleuven.be; laurens.naudts@kuleuven.be @PiDewitte; @Jausl00s @RoboNaudts
2 • Background to Data Subject Rights Jef • Empirically Testing the Right of Access Pierre • Empirically Testing the Right to an Explanation Laurens Overview
Background to Data Subject Rights Jef Ausloos Empower all the people !
4 Data Subject Rights – C’est quoi? Ex Ante Ex Post Protective Measures E.g. Data Quality Principles E.g. DPA Enforcement Empowerment Measures E.g. Consent E.g. Data Subject Rights
5 • Integral to data protection discussions since 1960’s • Data Protection Directive 1995 • Charter of Fundamental Rights 2000 • GDPR 2016 Brief History of Data Subject Rights
6 • Art.12: Modalities • Art.13-14: Transparency • Art.15: Access • Art.16: Rectification • Art.17: Erasure • Art.18: Restriction • Art.20: Portability • Art.21: Right to Object • Art.22: Automated Decision-Making Data Subject Rights
7 • Right of access = pivotal • Guaranteeing accountability/responsibility/compliance • Enabling other DS rights • Guaranteeing other legal rights • Research tool • Fleshed out in GDPR Zooming in on the Right of Access
8
9 • Right of access = pivotal • Guaranteeing accountability/responsibility/compliance • Enabling other DS rights • Guaranteeing other legal rights • Research tool • Fleshed out in GDPR • Modalities Zooming in on the Right of Access
10
11 • Nice in theory, but… • General assumption that these rights are • Inefficient • Underused • Ignored • Not much empirical data substantiating this Data Subject Rights in Practice ssrn.com/abstract=3106632
Empirically Testing the Right of Access Pierre Dewitte
• During academic year 2016-2017, legal-empirical study on the right of access (Art. 15 GDPR) o Registration and use of 66 online service providers o Analysis of each service’s privacy policy o Generic initial request for access o In-depth follow-up request to obtain a satisfactory answer • Participants: 1 CiTiP researcher, 3 students involved in the KU Leuven advanced Master in IP and IT Law • Findings compiled in surveys at every step of the empirical study • Results and analysis published: o In IDPL 8(1), February 2018 o As CiTiP Working Paper on SSRN Empirical study on the right of access Ausloos & Dewitte, 'Shattering One-Way Mirrors. The Right of Access in Practice', IDPL 8(1) available at <https://academic.oup.com/idpl/article/8/1/4/4922871>
• Overview of the investigated sectors Empirical study on the right of access Ausloos & Dewitte, 'Shattering One-Way Mirrors. The Right of Access in Practice', IDPL 8(1) available at <https://academic.oup.com/idpl/article/8/1/4/4922871>
• Some findings on the privacy policies (accessibility) Empirical study on the right of access Number of clicks it takes to get from the homepage to the privacy policy Ausloos & Dewitte, 'Shattering One-Way Mirrors. The Right of Access in Practice', IDPL 8(1) available at <https://academic.oup.com/idpl/article/8/1/4/4922871>
• Some findings on the privacy policies (completeness) Empirical study on the right of access Information provided by controllers in their privacy policy Ausloos & Dewitte, 'Shattering One-Way Mirrors. The Right of Access in Practice', IDPL 8(1) available at <https://academic.oup.com/idpl/article/8/1/4/4922871>
• Some findings on the filing of the initial request (mention of RoA) Empirical study on the right of access Specific mention of the right of access in the privacy policy Ausloos & Dewitte, 'Shattering One-Way Mirrors. The Right of Access in Practice', IDPL 8(1) available at <https://academic.oup.com/idpl/article/8/1/4/4922871>
• Some findings on the filing of the initial request (modalities) Empirical study on the right of access Specific ways mentioned in the privacy policy to exercise the right of access Ausloos & Dewitte, 'Shattering One-Way Mirrors. The Right of Access in Practice', IDPL 8(1) available at <https://academic.oup.com/idpl/article/8/1/4/4922871>
• Some findings on the follow-up request (answers) Empirical study on the right of access 74% 26% Number of controllers who responded to our initial request Ausloos & Dewitte, 'Shattering One-Way Mirrors. The Right of Access in Practice', IDPL 8(1) available at <https://academic.oup.com/idpl/article/8/1/4/4922871>
• Some findings on the follow-up request (delay) Empirical study on the right of access Days controllers took to respond to the initial request (other than confirmation of receipt) Ausloos & Dewitte, 'Shattering One-Way Mirrors. The Right of Access in Practice', IDPL 8(1) available at <https://academic.oup.com/idpl/article/8/1/4/4922871>
• Some findings on the follow-up request (information provided) Empirical study on the right of access Information provided following the access request Ausloos & Dewitte, 'Shattering One-Way Mirrors. The Right of Access in Practice', IDPL 8(1) available at <https://academic.oup.com/idpl/article/8/1/4/4922871>
• Some findings on the follow-up request (medium) Empirical study on the right of access Medium used to provide the answers Ausloos & Dewitte, 'Shattering One-Way Mirrors. The Right of Access in Practice', IDPL 8(1) available at <https://academic.oup.com/idpl/article/8/1/4/4922871>
• Some findings on the follow-up request (misunderstanding) o Many controllers referred to their privacy policy o Some of them mentioned the possibility to edit our profile via the service itself (name, address, etc.) o Others did not know the existence of the right of access at all and questioned us to obtain more information Empirical study on the right of access Ausloos & Dewitte, 'Shattering One-Way Mirrors. The Right of Access in Practice', IDPL 8(1) available at <https://academic.oup.com/idpl/article/8/1/4/4922871>
• Some findings on the follow-up request (irritation, bad faith) o Some controllers reacted with suspicion, irritation, reluctance and even bad faith to our access request Empirical study on the right of access (…) All required information is made available in our privacy policy. If you think it’s insufficient or believe ***** is not trustworthy, we’re happy to delete your account and all related data. If you would like to use the site, then you automatically accept our user agreement and privacy policy. (…) We receive this type of question once or twice a year, and it always comes from people who have no intention of being active on *****. So if you have a real concern, we’re happy to explain more info Ausloos & Dewitte, 'Shattering One-Way Mirrors. The Right of Access in Practice', IDPL 8(1) available at <https://academic.oup.com/idpl/article/8/1/4/4922871>
• Some findings on the follow-up request (irritation, bad faith) o Some controllers reacted with suspicion, irritation, reluctance and even bad faith to our access request Empirical study on the right of access This type of legislation is the reason we incorporated ***** in the US and not in *****. In reality, real users never ask for this type of information. They just delete their account. Our work is to ***** in the most trustworthy way. We have now deleted your account and have no data on file anymore, apart from this email in a separate customer support system. We have hereby fulfilled your request. And for all clarity: we treat real users and their privacy with the utmost respect. But we don’t spend expensive resources to respond to frivolous requests Ausloos & Dewitte, 'Shattering One-Way Mirrors. The Right of Access in Practice', IDPL 8(1) available at <https://academic.oup.com/idpl/article/8/1/4/4922871>
Lack of awareness Lack of organization Lack of motivation Lack of harmonization Empirical study on the right of access Ausloos & Dewitte, 'Shattering One-Way Mirrors. The Right of Access in Practice', IDPL 8(1) available at <https://academic.oup.com/idpl/article/8/1/4/4922871>
• GDPR, paradigm shift? o More information to be provided: Article 12(a) DPD v. 15(1) GDPR o Well-defined practical modalities: Article 12(a) DPD v. 12 GDPR o Mandatory appointment of a DPO if certain conditions are met o Introduction of Data Protection by Design (see infra) o Guidance from national supervisory authorities or EDPD o Awaited codes of conducts and certification mechanisms o Heavier fines as a driver o Market-driven incentives o Awareness-raising effect of the GDPR o Civil society initiatives (Usable Privacy, Polisis, Data Rights Finder,…) Empirical study on the right of access A bright future for transparency, the right of access and user empowerment in general? Ausloos & Dewitte, 'Shattering One-Way Mirrors. The Right of Access in Practice', IDPL 8(1) available at <https://academic.oup.com/idpl/article/8/1/4/4922871>
Empirically Testing the Right to an Explanation Laurens Naudts
• Increasing use of algorithms impacting our daily lives o Both online (e.g. tailored newsfeed on social media, targeted advertising) and offline (e.g. smart cities) • GDPR includes a so-called ‘right to explanation’ of decisions based solely on automated processing. Spread across several provisions: o Transparency requirements: Art. 13(2)f and 14(2)g o Right of access: Art. 15(1)g o Specific provision: Art. 22(3) and Rec. 71 • How this specific provision is interpreted and accommodated in practice by controllers remains largely unknown o Ex ante explanation of how the system works? o Ex post explanation on how a specific decision was reached? Empirical study on the so-called ‘right to explanation’ Algorithmic Transparency and Accountability in Practice (ATAP), KU Leuven CiTiP and MintLab, <https://www.law.kuleuven.be/citip/en/research/projects/ongoing/atap>
• During academic year 2018-2019, legal-empirical study on the ‘right to explanation’ of decisions taken by news recommender systems o First-party content providers (e.g. newspaper website) o News aggregators (e.g. Flipboard) o Social media (e.g. Twitter) • Participants: 5 CiTiP researchers, 3 MintLab researchers, 4 students involved in the KU Leuven advanced Master in IP and IT Law Empirical study on the so-called ‘right to explanation’ Desktop research Empirical research Design research Target policy- makers and UI Designers Algorithmic Transparency and Accountability in Practice (ATAP), KU Leuven CiTiP and MintLab, <https://www.law.kuleuven.be/citip/en/research/projects/ongoing/atap>
31 • Complexity • Technical Level • Expert knowledge required in order to understand and translate recommender systems, • Dependent on target audience • Data Level • Explanation requires insight into the entire automated chain • Legal Level • Disparity amongst legal instruments available to the data subject • Data Administration might lead to Indifference or Fatigue • Intellectual Property versus Granularity • Design Level • Different ‘Recommender Purposes’ require Different Explanations Challenges to Explanations and Transparency
Fight for your rights! (You’re not alone)
• To exercise data subject’s rights: o https://www.mydatadoneright.eu/: helps individuals to exercise their rights (access, erasure, rectification, portability) o https://www.personaldata.io: helps with in-depth/complicated access requests (e.g. Tinder ‘hotness factor’, Facebook Hive data, Uber data, Deliveroo data etc.) • To better understand privacy policies: o https://www.datarightsfinder.org/: summarises privacy policies and assists with the drafting of requests (focus on financial services) o https://www.usableprivacy.org/: summarises human- and machine annotated privacy policies o https://pribot.org/polisis: AI-powered privacy policy analysis Assistance along the way
Thanks for your attention! KU Leuven Centre for IT & IP Law (CiTiP) – imec www.law.kuleuven.be/citip

Recommended

Post-Alice Guideline 2016
Post-Alice Guideline 2016Post-Alice Guideline 2016
Post-Alice Guideline 2016
Lewis Lee
 
The Rising Tide Raises All Boats: The Advancement of Science of Cybersecurity
The Rising Tide Raises All Boats: The Advancement of Science of CybersecurityThe Rising Tide Raises All Boats: The Advancement of Science of Cybersecurity
The Rising Tide Raises All Boats: The Advancement of Science of Cybersecurity
laurieannwilliams
 
The Role of Intellectual Property Rights for the Growth of ICT Industry in Be...
The Role of Intellectual Property Rights for the Growth of ICT Industry in Be...The Role of Intellectual Property Rights for the Growth of ICT Industry in Be...
The Role of Intellectual Property Rights for the Growth of ICT Industry in Be...
Patterson Thuente IP
 
Presumptive Design or Cutting the Looking Glass Cake
Presumptive Design or Cutting the Looking Glass CakePresumptive Design or Cutting the Looking Glass Cake
Presumptive Design or Cutting the Looking Glass Cake
Leo Frishberg
 
2019 Triangle Machine Learning Day - Biomedical Image Understanding and EHRs ...
2019 Triangle Machine Learning Day - Biomedical Image Understanding and EHRs ...2019 Triangle Machine Learning Day - Biomedical Image Understanding and EHRs ...
2019 Triangle Machine Learning Day - Biomedical Image Understanding and EHRs ...
The Statistical and Applied Mathematical Sciences Institute
 
Starting From Scratch - the ELN Reality
Starting From Scratch - the ELN RealityStarting From Scratch - the ELN Reality
Starting From Scratch - the ELN Reality
John Trigg
 
Accessibility 101 for Financial Institutions
Accessibility 101 for Financial Institutions Accessibility 101 for Financial Institutions
Accessibility 101 for Financial Institutions
3Play Media
 
Go Ask Alice: The End of Computer-Implemented U.S. Patents?
Go Ask Alice: The End of Computer-Implemented U.S. Patents?Go Ask Alice: The End of Computer-Implemented U.S. Patents?
Go Ask Alice: The End of Computer-Implemented U.S. Patents?
WileyReinLLP
 

Recommended

Post-Alice Guideline 2016
Post-Alice Guideline 2016Post-Alice Guideline 2016
Post-Alice Guideline 2016
Lewis Lee
 
The Rising Tide Raises All Boats: The Advancement of Science of Cybersecurity
The Rising Tide Raises All Boats: The Advancement of Science of CybersecurityThe Rising Tide Raises All Boats: The Advancement of Science of Cybersecurity
The Rising Tide Raises All Boats: The Advancement of Science of Cybersecurity
laurieannwilliams
 
The Role of Intellectual Property Rights for the Growth of ICT Industry in Be...
The Role of Intellectual Property Rights for the Growth of ICT Industry in Be...The Role of Intellectual Property Rights for the Growth of ICT Industry in Be...
The Role of Intellectual Property Rights for the Growth of ICT Industry in Be...
Patterson Thuente IP
 
Presumptive Design or Cutting the Looking Glass Cake
Presumptive Design or Cutting the Looking Glass CakePresumptive Design or Cutting the Looking Glass Cake
Presumptive Design or Cutting the Looking Glass Cake
Leo Frishberg
 
2019 Triangle Machine Learning Day - Biomedical Image Understanding and EHRs ...
2019 Triangle Machine Learning Day - Biomedical Image Understanding and EHRs ...2019 Triangle Machine Learning Day - Biomedical Image Understanding and EHRs ...
2019 Triangle Machine Learning Day - Biomedical Image Understanding and EHRs ...
The Statistical and Applied Mathematical Sciences Institute
 
Starting From Scratch - the ELN Reality
Starting From Scratch - the ELN RealityStarting From Scratch - the ELN Reality
Starting From Scratch - the ELN Reality
John Trigg
 
Accessibility 101 for Financial Institutions
Accessibility 101 for Financial Institutions Accessibility 101 for Financial Institutions
Accessibility 101 for Financial Institutions
3Play Media
 
Go Ask Alice: The End of Computer-Implemented U.S. Patents?
Go Ask Alice: The End of Computer-Implemented U.S. Patents?Go Ask Alice: The End of Computer-Implemented U.S. Patents?
Go Ask Alice: The End of Computer-Implemented U.S. Patents?
WileyReinLLP
 
A Case for Expectation Informed Design - Full
A Case for Expectation Informed Design - FullA Case for Expectation Informed Design - Full
A Case for Expectation Informed Design - Full
gloriakt
 
When Past Performance May Be Indicative of Future Results - The Legal Implica...
When Past Performance May Be Indicative of Future Results - The Legal Implica...When Past Performance May Be Indicative of Future Results - The Legal Implica...
When Past Performance May Be Indicative of Future Results - The Legal Implica...
Jason Haislmaier
 
Paperless Lab Academy 'legal aspects of big data analytics'
Paperless Lab Academy 'legal aspects of big data analytics' Paperless Lab Academy 'legal aspects of big data analytics'
Paperless Lab Academy 'legal aspects of big data analytics'
Axon Lawyers
 
PLA Legal aspects of Big Data analytics final
PLA Legal aspects of Big Data analytics finalPLA Legal aspects of Big Data analytics final
PLA Legal aspects of Big Data analytics finalSofie van der Meulen
 
A Case for Expectation Informed Design
A Case for Expectation Informed DesignA Case for Expectation Informed Design
A Case for Expectation Informed Design
gloriakt
 
Use of data in safe havens: ethics and reproducibility issues
Use of data in safe havens: ethics and reproducibility issuesUse of data in safe havens: ethics and reproducibility issues
Use of data in safe havens: ethics and reproducibility issues
Louise Corti
 
Forecast 2014: eDiscovery and Forensics
Forecast 2014: eDiscovery and Forensics Forecast 2014: eDiscovery and Forensics
Forecast 2014: eDiscovery and Forensics
Open Data Center Alliance
 
Dataprotectionactnew13 12-11-111213033116-phpapp02
Dataprotectionactnew13 12-11-111213033116-phpapp02Dataprotectionactnew13 12-11-111213033116-phpapp02
Dataprotectionactnew13 12-11-111213033116-phpapp02tinkusing
 
Making ‘Big Data’ Your Ally – Using data analytics to improve compliance, due...
Making ‘Big Data’ Your Ally – Using data analytics to improve compliance, due...Making ‘Big Data’ Your Ally – Using data analytics to improve compliance, due...
Making ‘Big Data’ Your Ally – Using data analytics to improve compliance, due...emermell
 
Librarian RDM Training: Ethics and copyright for research data
Librarian RDM Training: Ethics and copyright for research dataLibrarian RDM Training: Ethics and copyright for research data
Librarian RDM Training: Ethics and copyright for research data
Robin Rice
 
Clare Sanderon, IG Solutions
Clare Sanderon, IG SolutionsClare Sanderon, IG Solutions
Clare Sanderon, IG Solutions
Investnet
 
Privacy & Data Ethics
Privacy & Data EthicsPrivacy & Data Ethics
Privacy & Data Ethics
Erik Kokkonen
 
Data Protection & Risk Management
Data Protection & Risk Management Data Protection & Risk Management
Data Protection & Risk Management
Endcode_org
 
Data Governance in two different data archives: When is a federal data reposi...
Data Governance in two different data archives: When is a federal data reposi...Data Governance in two different data archives: When is a federal data reposi...
Data Governance in two different data archives: When is a federal data reposi...
Carolyn Ten Holter
 
Scaling up learning analytics solutions: Is privacy a show-stopper?
Scaling up learning analytics solutions: Is privacy a show-stopper?Scaling up learning analytics solutions: Is privacy a show-stopper?
Scaling up learning analytics solutions: Is privacy a show-stopper?
Tore Hoel
 
Privacy issues in data analytics
Privacy issues in data analyticsPrivacy issues in data analytics
Privacy issues in data analytics
shekharkanodia
 
An itinerary for FAIR and privacy respecting data-driven innovation and research
An itinerary for FAIR and privacy respecting data-driven innovation and researchAn itinerary for FAIR and privacy respecting data-driven innovation and research
An itinerary for FAIR and privacy respecting data-driven innovation and research
Marlon Domingus
 
Governance And Data Protection In The Health Sector - Billy Hawkes
Governance And Data Protection In The Health Sector - Billy HawkesGovernance And Data Protection In The Health Sector - Billy Hawkes
Governance And Data Protection In The Health Sector - Billy Hawkeshealthcareisi
 
Legal and ethical considerations for sharing research data
Legal and ethical considerations for sharing research dataLegal and ethical considerations for sharing research data
Legal and ethical considerations for sharing research data
OpenAIRE
 
The death of data protection sans obama
The death of data protection sans obamaThe death of data protection sans obama
The death of data protection sans obamaLilian Edwards
 
20190528 - Guidelines for Trustworthy AI
20190528 - Guidelines for Trustworthy AI20190528 - Guidelines for Trustworthy AI
20190528 - Guidelines for Trustworthy AI
Brussels Legal Hackers
 
20190423 PRiSE model to tackle data protection impact assessments and data pr...
20190423 PRiSE model to tackle data protection impact assessments and data pr...20190423 PRiSE model to tackle data protection impact assessments and data pr...
20190423 PRiSE model to tackle data protection impact assessments and data pr...
Brussels Legal Hackers
 

More Related Content

Similar to 20190221 Data subject rights in practice

A Case for Expectation Informed Design - Full
A Case for Expectation Informed Design - FullA Case for Expectation Informed Design - Full
A Case for Expectation Informed Design - Full
gloriakt
 
When Past Performance May Be Indicative of Future Results - The Legal Implica...
When Past Performance May Be Indicative of Future Results - The Legal Implica...When Past Performance May Be Indicative of Future Results - The Legal Implica...
When Past Performance May Be Indicative of Future Results - The Legal Implica...
Jason Haislmaier
 
Paperless Lab Academy 'legal aspects of big data analytics'
Paperless Lab Academy 'legal aspects of big data analytics' Paperless Lab Academy 'legal aspects of big data analytics'
Paperless Lab Academy 'legal aspects of big data analytics'
Axon Lawyers
 
PLA Legal aspects of Big Data analytics final
PLA Legal aspects of Big Data analytics finalPLA Legal aspects of Big Data analytics final
PLA Legal aspects of Big Data analytics finalSofie van der Meulen
 
A Case for Expectation Informed Design
A Case for Expectation Informed DesignA Case for Expectation Informed Design
A Case for Expectation Informed Design
gloriakt
 
Use of data in safe havens: ethics and reproducibility issues
Use of data in safe havens: ethics and reproducibility issuesUse of data in safe havens: ethics and reproducibility issues
Use of data in safe havens: ethics and reproducibility issues
Louise Corti
 
Forecast 2014: eDiscovery and Forensics
Forecast 2014: eDiscovery and Forensics Forecast 2014: eDiscovery and Forensics
Forecast 2014: eDiscovery and Forensics
Open Data Center Alliance
 
Dataprotectionactnew13 12-11-111213033116-phpapp02
Dataprotectionactnew13 12-11-111213033116-phpapp02Dataprotectionactnew13 12-11-111213033116-phpapp02
Dataprotectionactnew13 12-11-111213033116-phpapp02tinkusing
 
Making ‘Big Data’ Your Ally – Using data analytics to improve compliance, due...
Making ‘Big Data’ Your Ally – Using data analytics to improve compliance, due...Making ‘Big Data’ Your Ally – Using data analytics to improve compliance, due...
Making ‘Big Data’ Your Ally – Using data analytics to improve compliance, due...emermell
 
Librarian RDM Training: Ethics and copyright for research data
Librarian RDM Training: Ethics and copyright for research dataLibrarian RDM Training: Ethics and copyright for research data
Librarian RDM Training: Ethics and copyright for research data
Robin Rice
 
Clare Sanderon, IG Solutions
Clare Sanderon, IG SolutionsClare Sanderon, IG Solutions
Clare Sanderon, IG Solutions
Investnet
 
Privacy & Data Ethics
Privacy & Data EthicsPrivacy & Data Ethics
Privacy & Data Ethics
Erik Kokkonen
 
Data Protection & Risk Management
Data Protection & Risk Management Data Protection & Risk Management
Data Protection & Risk Management
Endcode_org
 
Data Governance in two different data archives: When is a federal data reposi...
Data Governance in two different data archives: When is a federal data reposi...Data Governance in two different data archives: When is a federal data reposi...
Data Governance in two different data archives: When is a federal data reposi...
Carolyn Ten Holter
 
Scaling up learning analytics solutions: Is privacy a show-stopper?
Scaling up learning analytics solutions: Is privacy a show-stopper?Scaling up learning analytics solutions: Is privacy a show-stopper?
Scaling up learning analytics solutions: Is privacy a show-stopper?
Tore Hoel
 
Privacy issues in data analytics
Privacy issues in data analyticsPrivacy issues in data analytics
Privacy issues in data analytics
shekharkanodia
 
An itinerary for FAIR and privacy respecting data-driven innovation and research
An itinerary for FAIR and privacy respecting data-driven innovation and researchAn itinerary for FAIR and privacy respecting data-driven innovation and research
An itinerary for FAIR and privacy respecting data-driven innovation and research
Marlon Domingus
 
Governance And Data Protection In The Health Sector - Billy Hawkes
Governance And Data Protection In The Health Sector - Billy HawkesGovernance And Data Protection In The Health Sector - Billy Hawkes
Governance And Data Protection In The Health Sector - Billy Hawkeshealthcareisi
 
Legal and ethical considerations for sharing research data
Legal and ethical considerations for sharing research dataLegal and ethical considerations for sharing research data
Legal and ethical considerations for sharing research data
OpenAIRE
 
The death of data protection sans obama
The death of data protection sans obamaThe death of data protection sans obama
The death of data protection sans obamaLilian Edwards
 

Similar to 20190221 Data subject rights in practice (20)

A Case for Expectation Informed Design - Full
A Case for Expectation Informed Design - FullA Case for Expectation Informed Design - Full
A Case for Expectation Informed Design - Full
 
When Past Performance May Be Indicative of Future Results - The Legal Implica...
When Past Performance May Be Indicative of Future Results - The Legal Implica...When Past Performance May Be Indicative of Future Results - The Legal Implica...
When Past Performance May Be Indicative of Future Results - The Legal Implica...
 
Paperless Lab Academy 'legal aspects of big data analytics'
Paperless Lab Academy 'legal aspects of big data analytics' Paperless Lab Academy 'legal aspects of big data analytics'
Paperless Lab Academy 'legal aspects of big data analytics'
 
PLA Legal aspects of Big Data analytics final
PLA Legal aspects of Big Data analytics finalPLA Legal aspects of Big Data analytics final
PLA Legal aspects of Big Data analytics final
 
A Case for Expectation Informed Design
A Case for Expectation Informed DesignA Case for Expectation Informed Design
A Case for Expectation Informed Design
 
Use of data in safe havens: ethics and reproducibility issues
Use of data in safe havens: ethics and reproducibility issuesUse of data in safe havens: ethics and reproducibility issues
Use of data in safe havens: ethics and reproducibility issues
 
Forecast 2014: eDiscovery and Forensics
Forecast 2014: eDiscovery and Forensics Forecast 2014: eDiscovery and Forensics
Forecast 2014: eDiscovery and Forensics
 
Dataprotectionactnew13 12-11-111213033116-phpapp02
Dataprotectionactnew13 12-11-111213033116-phpapp02Dataprotectionactnew13 12-11-111213033116-phpapp02
Dataprotectionactnew13 12-11-111213033116-phpapp02
 
Making ‘Big Data’ Your Ally – Using data analytics to improve compliance, due...
Making ‘Big Data’ Your Ally – Using data analytics to improve compliance, due...Making ‘Big Data’ Your Ally – Using data analytics to improve compliance, due...
Making ‘Big Data’ Your Ally – Using data analytics to improve compliance, due...
 
Librarian RDM Training: Ethics and copyright for research data
Librarian RDM Training: Ethics and copyright for research dataLibrarian RDM Training: Ethics and copyright for research data
Librarian RDM Training: Ethics and copyright for research data
 
Clare Sanderon, IG Solutions
Clare Sanderon, IG SolutionsClare Sanderon, IG Solutions
Clare Sanderon, IG Solutions
 
Privacy & Data Ethics
Privacy & Data EthicsPrivacy & Data Ethics
Privacy & Data Ethics
 
Data Protection & Risk Management
Data Protection & Risk Management Data Protection & Risk Management
Data Protection & Risk Management
 
Data Governance in two different data archives: When is a federal data reposi...
Data Governance in two different data archives: When is a federal data reposi...Data Governance in two different data archives: When is a federal data reposi...
Data Governance in two different data archives: When is a federal data reposi...
 
Scaling up learning analytics solutions: Is privacy a show-stopper?
Scaling up learning analytics solutions: Is privacy a show-stopper?Scaling up learning analytics solutions: Is privacy a show-stopper?
Scaling up learning analytics solutions: Is privacy a show-stopper?
 
Privacy issues in data analytics
Privacy issues in data analyticsPrivacy issues in data analytics
Privacy issues in data analytics
 
An itinerary for FAIR and privacy respecting data-driven innovation and research
An itinerary for FAIR and privacy respecting data-driven innovation and researchAn itinerary for FAIR and privacy respecting data-driven innovation and research
An itinerary for FAIR and privacy respecting data-driven innovation and research
 
Governance And Data Protection In The Health Sector - Billy Hawkes
Governance And Data Protection In The Health Sector - Billy HawkesGovernance And Data Protection In The Health Sector - Billy Hawkes
Governance And Data Protection In The Health Sector - Billy Hawkes
 
Legal and ethical considerations for sharing research data
Legal and ethical considerations for sharing research dataLegal and ethical considerations for sharing research data
Legal and ethical considerations for sharing research data
 
The death of data protection sans obama
The death of data protection sans obamaThe death of data protection sans obama
The death of data protection sans obama
 

More from Brussels Legal Hackers

20190528 - Guidelines for Trustworthy AI
20190528 - Guidelines for Trustworthy AI20190528 - Guidelines for Trustworthy AI
20190528 - Guidelines for Trustworthy AI
Brussels Legal Hackers
 
20190423 PRiSE model to tackle data protection impact assessments and data pr...
20190423 PRiSE model to tackle data protection impact assessments and data pr...20190423 PRiSE model to tackle data protection impact assessments and data pr...
20190423 PRiSE model to tackle data protection impact assessments and data pr...
Brussels Legal Hackers
 
20190316 - CLBFest - Blockchain & the law - Willem Van de Wiele
20190316 - CLBFest - Blockchain & the law - Willem Van de Wiele20190316 - CLBFest - Blockchain & the law - Willem Van de Wiele
20190316 - CLBFest - Blockchain & the law - Willem Van de Wiele
Brussels Legal Hackers
 
20190316 - CLBFest - Blockchain is WTF - Gerrie Smits
20190316 - CLBFest - Blockchain is WTF - Gerrie Smits20190316 - CLBFest - Blockchain is WTF - Gerrie Smits
20190316 - CLBFest - Blockchain is WTF - Gerrie Smits
Brussels Legal Hackers
 
20190316 - CLBFest - 1337 to legal - Koen Vingerhoets
20190316 - CLBFest - 1337 to legal - Koen Vingerhoets20190316 - CLBFest - 1337 to legal - Koen Vingerhoets
20190316 - CLBFest - 1337 to legal - Koen Vingerhoets
Brussels Legal Hackers
 
20190316 - CLBFest - GDPR & Blockchain - Axel Beelen
20190316 - CLBFest - GDPR & Blockchain - Axel Beelen20190316 - CLBFest - GDPR & Blockchain - Axel Beelen
20190316 - CLBFest - GDPR & Blockchain - Axel Beelen
Brussels Legal Hackers
 
20190316 - CLBFest - Cryptocurrencies and tax - Hendrik Putman
20190316 - CLBFest - Cryptocurrencies and tax - Hendrik Putman20190316 - CLBFest - Cryptocurrencies and tax - Hendrik Putman
20190316 - CLBFest - Cryptocurrencies and tax - Hendrik Putman
Brussels Legal Hackers
 
20190221 Algorithmic transparency and accountability in practice
20190221 Algorithmic transparency and accountability in practice20190221 Algorithmic transparency and accountability in practice
20190221 Algorithmic transparency and accountability in practice
Brussels Legal Hackers
 
20180619 Controller-to-Processor agreements
20180619 Controller-to-Processor agreements20180619 Controller-to-Processor agreements
20180619 Controller-to-Processor agreements
Brussels Legal Hackers
 
20180607 - Tech Summit presentation
20180607 - Tech Summit presentation20180607 - Tech Summit presentation
20180607 - Tech Summit presentation
Brussels Legal Hackers
 
20180317 CLBfest 2018 - Trase
20180317 CLBfest 2018 - Trase20180317 CLBfest 2018 - Trase
20180317 CLBfest 2018 - Trase
Brussels Legal Hackers
 
20171108 IAPP Congress - Privacy by Design presentation
20171108 IAPP Congress - Privacy by Design presentation20171108 IAPP Congress - Privacy by Design presentation
20171108 IAPP Congress - Privacy by Design presentation
Brussels Legal Hackers
 
20171106 - Privacy Design Lab - LINDDUN
20171106 - Privacy Design Lab - LINDDUN20171106 - Privacy Design Lab - LINDDUN
20171106 - Privacy Design Lab - LINDDUN
Brussels Legal Hackers
 
20170601 - Digital festival presentation
20170601 - Digital festival presentation20170601 - Digital festival presentation
20170601 - Digital festival presentation
Brussels Legal Hackers
 
20170801 GDPR Q&A intro
20170801 GDPR Q&A intro20170801 GDPR Q&A intro
20170801 GDPR Q&A intro
Brussels Legal Hackers
 
20170620 MEETUP intro to blockchain and smart contracts (2)
20170620 MEETUP intro to blockchain and smart contracts (2)20170620 MEETUP intro to blockchain and smart contracts (2)
20170620 MEETUP intro to blockchain and smart contracts (2)
Brussels Legal Hackers
 
20170620 MEETUP smart contracts proof of concept for prescriptions
20170620 MEETUP smart contracts proof of concept for prescriptions20170620 MEETUP smart contracts proof of concept for prescriptions
20170620 MEETUP smart contracts proof of concept for prescriptions
Brussels Legal Hackers
 
20170620 MEETUP intro to blockchain and smart contracts (1)
20170620 MEETUP intro to blockchain and smart contracts (1)20170620 MEETUP intro to blockchain and smart contracts (1)
20170620 MEETUP intro to blockchain and smart contracts (1)
Brussels Legal Hackers
 
20170418 MEETUP on Creative Commons
20170418 MEETUP on Creative Commons20170418 MEETUP on Creative Commons
20170418 MEETUP on Creative Commons
Brussels Legal Hackers
 
20170122 MEETUP on autonomous vehicles
20170122 MEETUP on autonomous vehicles20170122 MEETUP on autonomous vehicles
20170122 MEETUP on autonomous vehicles
Brussels Legal Hackers
 

More from Brussels Legal Hackers (20)

20190528 - Guidelines for Trustworthy AI
20190528 - Guidelines for Trustworthy AI20190528 - Guidelines for Trustworthy AI
20190528 - Guidelines for Trustworthy AI
 
20190423 PRiSE model to tackle data protection impact assessments and data pr...
20190423 PRiSE model to tackle data protection impact assessments and data pr...20190423 PRiSE model to tackle data protection impact assessments and data pr...
20190423 PRiSE model to tackle data protection impact assessments and data pr...
 
20190316 - CLBFest - Blockchain & the law - Willem Van de Wiele
20190316 - CLBFest - Blockchain & the law - Willem Van de Wiele20190316 - CLBFest - Blockchain & the law - Willem Van de Wiele
20190316 - CLBFest - Blockchain & the law - Willem Van de Wiele
 
20190316 - CLBFest - Blockchain is WTF - Gerrie Smits
20190316 - CLBFest - Blockchain is WTF - Gerrie Smits20190316 - CLBFest - Blockchain is WTF - Gerrie Smits
20190316 - CLBFest - Blockchain is WTF - Gerrie Smits
 
20190316 - CLBFest - 1337 to legal - Koen Vingerhoets
20190316 - CLBFest - 1337 to legal - Koen Vingerhoets20190316 - CLBFest - 1337 to legal - Koen Vingerhoets
20190316 - CLBFest - 1337 to legal - Koen Vingerhoets
 
20190316 - CLBFest - GDPR & Blockchain - Axel Beelen
20190316 - CLBFest - GDPR & Blockchain - Axel Beelen20190316 - CLBFest - GDPR & Blockchain - Axel Beelen
20190316 - CLBFest - GDPR & Blockchain - Axel Beelen
 
20190316 - CLBFest - Cryptocurrencies and tax - Hendrik Putman
20190316 - CLBFest - Cryptocurrencies and tax - Hendrik Putman20190316 - CLBFest - Cryptocurrencies and tax - Hendrik Putman
20190316 - CLBFest - Cryptocurrencies and tax - Hendrik Putman
 
20190221 Algorithmic transparency and accountability in practice
20190221 Algorithmic transparency and accountability in practice20190221 Algorithmic transparency and accountability in practice
20190221 Algorithmic transparency and accountability in practice
 
20180619 Controller-to-Processor agreements
20180619 Controller-to-Processor agreements20180619 Controller-to-Processor agreements
20180619 Controller-to-Processor agreements
 
20180607 - Tech Summit presentation
20180607 - Tech Summit presentation20180607 - Tech Summit presentation
20180607 - Tech Summit presentation
 
20180317 CLBfest 2018 - Trase
20180317 CLBfest 2018 - Trase20180317 CLBfest 2018 - Trase
20180317 CLBfest 2018 - Trase
 
20171108 IAPP Congress - Privacy by Design presentation
20171108 IAPP Congress - Privacy by Design presentation20171108 IAPP Congress - Privacy by Design presentation
20171108 IAPP Congress - Privacy by Design presentation
 
20171106 - Privacy Design Lab - LINDDUN
20171106 - Privacy Design Lab - LINDDUN20171106 - Privacy Design Lab - LINDDUN
20171106 - Privacy Design Lab - LINDDUN
 
20170601 - Digital festival presentation
20170601 - Digital festival presentation20170601 - Digital festival presentation
20170601 - Digital festival presentation
 
20170801 GDPR Q&A intro
20170801 GDPR Q&A intro20170801 GDPR Q&A intro
20170801 GDPR Q&A intro
 
20170620 MEETUP intro to blockchain and smart contracts (2)
20170620 MEETUP intro to blockchain and smart contracts (2)20170620 MEETUP intro to blockchain and smart contracts (2)
20170620 MEETUP intro to blockchain and smart contracts (2)
 
20170620 MEETUP smart contracts proof of concept for prescriptions
20170620 MEETUP smart contracts proof of concept for prescriptions20170620 MEETUP smart contracts proof of concept for prescriptions
20170620 MEETUP smart contracts proof of concept for prescriptions
 
20170620 MEETUP intro to blockchain and smart contracts (1)
20170620 MEETUP intro to blockchain and smart contracts (1)20170620 MEETUP intro to blockchain and smart contracts (1)
20170620 MEETUP intro to blockchain and smart contracts (1)
 
20170418 MEETUP on Creative Commons
20170418 MEETUP on Creative Commons20170418 MEETUP on Creative Commons
20170418 MEETUP on Creative Commons
 
20170122 MEETUP on autonomous vehicles
20170122 MEETUP on autonomous vehicles20170122 MEETUP on autonomous vehicles
20170122 MEETUP on autonomous vehicles
 

Recently uploaded

Normal Labour/ Stages of Labour/ Mechanism of Labour
Normal Labour/ Stages of Labour/ Mechanism of LabourNormal Labour/ Stages of Labour/ Mechanism of Labour
Normal Labour/ Stages of Labour/ Mechanism of Labour
Wasim Ak
 
Delivering Micro-Credentials in Technical and Vocational Education and Training
Delivering Micro-Credentials in Technical and Vocational Education and TrainingDelivering Micro-Credentials in Technical and Vocational Education and Training
Delivering Micro-Credentials in Technical and Vocational Education and Training
AG2 Design
 
Group Presentation 2 Economics.Ariana Buscigliopptx
Group Presentation 2 Economics.Ariana BuscigliopptxGroup Presentation 2 Economics.Ariana Buscigliopptx
Group Presentation 2 Economics.Ariana Buscigliopptx
ArianaBusciglio
 
June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...
June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...
June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...
Levi Shapiro
 
World environment day ppt For 5 June 2024
World environment day ppt For 5 June 2024World environment day ppt For 5 June 2024
World environment day ppt For 5 June 2024
ak6969907
 
The Diamonds of 2023-2024 in the IGRA collection
The Diamonds of 2023-2024 in the IGRA collectionThe Diamonds of 2023-2024 in the IGRA collection
The Diamonds of 2023-2024 in the IGRA collection
Israel Genealogy Research Association
 
clinical examination of hip joint (1).pdf
clinical examination of hip joint (1).pdfclinical examination of hip joint (1).pdf
clinical examination of hip joint (1).pdf
Priyankaranawat4
 
বাংলাদেশ অর্থনৈতিক সমীক্ষা (Economic Review) ২০২৪ UJS App.pdf
বাংলাদেশ অর্থনৈতিক সমীক্ষা (Economic Review) ২০২৪ UJS App.pdfবাংলাদেশ অর্থনৈতিক সমীক্ষা (Economic Review) ২০২৪ UJS App.pdf
বাংলাদেশ অর্থনৈতিক সমীক্ষা (Economic Review) ২০২৪ UJS App.pdf
eBook.com.bd (প্রয়োজনীয় বাংলা বই)
 
Thesis Statement for students diagnonsed withADHD.ppt
Thesis Statement for students diagnonsed withADHD.pptThesis Statement for students diagnonsed withADHD.ppt
Thesis Statement for students diagnonsed withADHD.ppt
EverAndrsGuerraGuerr
 
PIMS Job Advertisement 2024.pdf Islamabad
PIMS Job Advertisement 2024.pdf IslamabadPIMS Job Advertisement 2024.pdf Islamabad
PIMS Job Advertisement 2024.pdf Islamabad
AyyanKhan40
 
Aficamten in HCM (SEQUOIA HCM TRIAL 2024)
Aficamten in HCM (SEQUOIA HCM TRIAL 2024)Aficamten in HCM (SEQUOIA HCM TRIAL 2024)
Aficamten in HCM (SEQUOIA HCM TRIAL 2024)
Ashish Kohli
 
How to Build a Module in Odoo 17 Using the Scaffold Method
How to Build a Module in Odoo 17 Using the Scaffold MethodHow to Build a Module in Odoo 17 Using the Scaffold Method
How to Build a Module in Odoo 17 Using the Scaffold Method
Celine George
 
S1-Introduction-Biopesticides in ICM.pptx
S1-Introduction-Biopesticides in ICM.pptxS1-Introduction-Biopesticides in ICM.pptx
S1-Introduction-Biopesticides in ICM.pptx
tarandeep35
 
MASS MEDIA STUDIES-835-CLASS XI Resource Material.pdf
MASS MEDIA STUDIES-835-CLASS XI Resource Material.pdfMASS MEDIA STUDIES-835-CLASS XI Resource Material.pdf
MASS MEDIA STUDIES-835-CLASS XI Resource Material.pdf
goswamiyash170123
 
A Survey of Techniques for Maximizing LLM Performance.pptx
A Survey of Techniques for Maximizing LLM Performance.pptxA Survey of Techniques for Maximizing LLM Performance.pptx
A Survey of Techniques for Maximizing LLM Performance.pptx
thanhdowork
 
CACJapan - GROUP Presentation 1- Wk 4.pdf
CACJapan - GROUP Presentation 1- Wk 4.pdfCACJapan - GROUP Presentation 1- Wk 4.pdf
CACJapan - GROUP Presentation 1- Wk 4.pdf
camakaiclarkmusic
 
Pollock and Snow "DEIA in the Scholarly Landscape, Session One: Setting Expec...
Pollock and Snow "DEIA in the Scholarly Landscape, Session One: Setting Expec...Pollock and Snow "DEIA in the Scholarly Landscape, Session One: Setting Expec...
Pollock and Snow "DEIA in the Scholarly Landscape, Session One: Setting Expec...
National Information Standards Organization (NISO)
 
The basics of sentences session 5pptx.pptx
The basics of sentences session 5pptx.pptxThe basics of sentences session 5pptx.pptx
The basics of sentences session 5pptx.pptx
heathfieldcps1
 
Advantages and Disadvantages of CMS from an SEO Perspective
Advantages and Disadvantages of CMS from an SEO PerspectiveAdvantages and Disadvantages of CMS from an SEO Perspective
Advantages and Disadvantages of CMS from an SEO Perspective
Krisztián Száraz
 
MATATAG CURRICULUM: ASSESSING THE READINESS OF ELEM. PUBLIC SCHOOL TEACHERS I...
MATATAG CURRICULUM: ASSESSING THE READINESS OF ELEM. PUBLIC SCHOOL TEACHERS I...MATATAG CURRICULUM: ASSESSING THE READINESS OF ELEM. PUBLIC SCHOOL TEACHERS I...
MATATAG CURRICULUM: ASSESSING THE READINESS OF ELEM. PUBLIC SCHOOL TEACHERS I...
NelTorrente
 

Recently uploaded (20)

Normal Labour/ Stages of Labour/ Mechanism of Labour
Normal Labour/ Stages of Labour/ Mechanism of LabourNormal Labour/ Stages of Labour/ Mechanism of Labour
Normal Labour/ Stages of Labour/ Mechanism of Labour
 
Delivering Micro-Credentials in Technical and Vocational Education and Training
Delivering Micro-Credentials in Technical and Vocational Education and TrainingDelivering Micro-Credentials in Technical and Vocational Education and Training
Delivering Micro-Credentials in Technical and Vocational Education and Training
 
Group Presentation 2 Economics.Ariana Buscigliopptx
Group Presentation 2 Economics.Ariana BuscigliopptxGroup Presentation 2 Economics.Ariana Buscigliopptx
Group Presentation 2 Economics.Ariana Buscigliopptx
 
June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...
June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...
June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...
 
World environment day ppt For 5 June 2024
World environment day ppt For 5 June 2024World environment day ppt For 5 June 2024
World environment day ppt For 5 June 2024
 
The Diamonds of 2023-2024 in the IGRA collection
The Diamonds of 2023-2024 in the IGRA collectionThe Diamonds of 2023-2024 in the IGRA collection
The Diamonds of 2023-2024 in the IGRA collection
 
clinical examination of hip joint (1).pdf
clinical examination of hip joint (1).pdfclinical examination of hip joint (1).pdf
clinical examination of hip joint (1).pdf
 
বাংলাদেশ অর্থনৈতিক সমীক্ষা (Economic Review) ২০২৪ UJS App.pdf
বাংলাদেশ অর্থনৈতিক সমীক্ষা (Economic Review) ২০২৪ UJS App.pdfবাংলাদেশ অর্থনৈতিক সমীক্ষা (Economic Review) ২০২৪ UJS App.pdf
বাংলাদেশ অর্থনৈতিক সমীক্ষা (Economic Review) ২০২৪ UJS App.pdf
 
Thesis Statement for students diagnonsed withADHD.ppt
Thesis Statement for students diagnonsed withADHD.pptThesis Statement for students diagnonsed withADHD.ppt
Thesis Statement for students diagnonsed withADHD.ppt
 
PIMS Job Advertisement 2024.pdf Islamabad
PIMS Job Advertisement 2024.pdf IslamabadPIMS Job Advertisement 2024.pdf Islamabad
PIMS Job Advertisement 2024.pdf Islamabad
 
Aficamten in HCM (SEQUOIA HCM TRIAL 2024)
Aficamten in HCM (SEQUOIA HCM TRIAL 2024)Aficamten in HCM (SEQUOIA HCM TRIAL 2024)
Aficamten in HCM (SEQUOIA HCM TRIAL 2024)
 
How to Build a Module in Odoo 17 Using the Scaffold Method
How to Build a Module in Odoo 17 Using the Scaffold MethodHow to Build a Module in Odoo 17 Using the Scaffold Method
How to Build a Module in Odoo 17 Using the Scaffold Method
 
S1-Introduction-Biopesticides in ICM.pptx
S1-Introduction-Biopesticides in ICM.pptxS1-Introduction-Biopesticides in ICM.pptx
S1-Introduction-Biopesticides in ICM.pptx
 
MASS MEDIA STUDIES-835-CLASS XI Resource Material.pdf
MASS MEDIA STUDIES-835-CLASS XI Resource Material.pdfMASS MEDIA STUDIES-835-CLASS XI Resource Material.pdf
MASS MEDIA STUDIES-835-CLASS XI Resource Material.pdf
 
A Survey of Techniques for Maximizing LLM Performance.pptx
A Survey of Techniques for Maximizing LLM Performance.pptxA Survey of Techniques for Maximizing LLM Performance.pptx
A Survey of Techniques for Maximizing LLM Performance.pptx
 
CACJapan - GROUP Presentation 1- Wk 4.pdf
CACJapan - GROUP Presentation 1- Wk 4.pdfCACJapan - GROUP Presentation 1- Wk 4.pdf
CACJapan - GROUP Presentation 1- Wk 4.pdf
 
Pollock and Snow "DEIA in the Scholarly Landscape, Session One: Setting Expec...
Pollock and Snow "DEIA in the Scholarly Landscape, Session One: Setting Expec...Pollock and Snow "DEIA in the Scholarly Landscape, Session One: Setting Expec...
Pollock and Snow "DEIA in the Scholarly Landscape, Session One: Setting Expec...
 
The basics of sentences session 5pptx.pptx
The basics of sentences session 5pptx.pptxThe basics of sentences session 5pptx.pptx
The basics of sentences session 5pptx.pptx
 
Advantages and Disadvantages of CMS from an SEO Perspective
Advantages and Disadvantages of CMS from an SEO PerspectiveAdvantages and Disadvantages of CMS from an SEO Perspective
Advantages and Disadvantages of CMS from an SEO Perspective
 
MATATAG CURRICULUM: ASSESSING THE READINESS OF ELEM. PUBLIC SCHOOL TEACHERS I...
MATATAG CURRICULUM: ASSESSING THE READINESS OF ELEM. PUBLIC SCHOOL TEACHERS I...MATATAG CURRICULUM: ASSESSING THE READINESS OF ELEM. PUBLIC SCHOOL TEACHERS I...
MATATAG CURRICULUM: ASSESSING THE READINESS OF ELEM. PUBLIC SCHOOL TEACHERS I...
 

20190221 Data subject rights in practice

  • 1. Data Subject’s Rights in Practice Facts, figures, design, practice Pierre Dewitte, Jef Ausloos & Laurens Naudts pierre.dewitte@kuleuven.be; jef.ausloos@kuleuven.be; laurens.naudts@kuleuven.be @PiDewitte; @Jausl00s @RoboNaudts
  • 2. 2 • Background to Data Subject Rights Jef • Empirically Testing the Right of Access Pierre • Empirically Testing the Right to an Explanation Laurens Overview
  • 3. Background to Data Subject Rights Jef Ausloos Empower all the people !
  • 4. 4 Data Subject Rights – C’est quoi? Ex Ante Ex Post Protective Measures E.g. Data Quality Principles E.g. DPA Enforcement Empowerment Measures E.g. Consent E.g. Data Subject Rights
  • 5. 5 • Integral to data protection discussions since 1960’s • Data Protection Directive 1995 • Charter of Fundamental Rights 2000 • GDPR 2016 Brief History of Data Subject Rights
  • 6. 6 • Art.12: Modalities • Art.13-14: Transparency • Art.15: Access • Art.16: Rectification • Art.17: Erasure • Art.18: Restriction • Art.20: Portability • Art.21: Right to Object • Art.22: Automated Decision-Making Data Subject Rights
  • 7. 7 • Right of access = pivotal • Guaranteeing accountability/responsibility/compliance • Enabling other DS rights • Guaranteeing other legal rights • Research tool • Fleshed out in GDPR Zooming in on the Right of Access
  • 8. 8
  • 9. 9 • Right of access = pivotal • Guaranteeing accountability/responsibility/compliance • Enabling other DS rights • Guaranteeing other legal rights • Research tool • Fleshed out in GDPR • Modalities Zooming in on the Right of Access
  • 10. 10
  • 11. 11 • Nice in theory, but… • General assumption that these rights are • Inefficient • Underused • Ignored • Not much empirical data substantiating this Data Subject Rights in Practice ssrn.com/abstract=3106632
  • 12. Empirically Testing the Right of Access Pierre Dewitte
  • 13. • During academic year 2016-2017, legal-empirical study on the right of access (Art. 15 GDPR) o Registration and use of 66 online service providers o Analysis of each service’s privacy policy o Generic initial request for access o In-depth follow-up request to obtain a satisfactory answer • Participants: 1 CiTiP researcher, 3 students involved in the KU Leuven advanced Master in IP and IT Law • Findings compiled in surveys at every step of the empirical study • Results and analysis published: o In IDPL 8(1), February 2018 o As CiTiP Working Paper on SSRN Empirical study on the right of access Ausloos & Dewitte, 'Shattering One-Way Mirrors. The Right of Access in Practice', IDPL 8(1) available at <https://academic.oup.com/idpl/article/8/1/4/4922871>
  • 14. • Overview of the investigated sectors Empirical study on the right of access Ausloos & Dewitte, 'Shattering One-Way Mirrors. The Right of Access in Practice', IDPL 8(1) available at <https://academic.oup.com/idpl/article/8/1/4/4922871>
  • 15. • Some findings on the privacy policies (accessibility) Empirical study on the right of access Number of clicks it takes to get from the homepage to the privacy policy Ausloos & Dewitte, 'Shattering One-Way Mirrors. The Right of Access in Practice', IDPL 8(1) available at <https://academic.oup.com/idpl/article/8/1/4/4922871>
  • 16. • Some findings on the privacy policies (completeness) Empirical study on the right of access Information provided by controllers in their privacy policy Ausloos & Dewitte, 'Shattering One-Way Mirrors. The Right of Access in Practice', IDPL 8(1) available at <https://academic.oup.com/idpl/article/8/1/4/4922871>
  • 17. • Some findings on the filing of the initial request (mention of RoA) Empirical study on the right of access Specific mention of the right of access in the privacy policy Ausloos & Dewitte, 'Shattering One-Way Mirrors. The Right of Access in Practice', IDPL 8(1) available at <https://academic.oup.com/idpl/article/8/1/4/4922871>
  • 18. • Some findings on the filing of the initial request (modalities) Empirical study on the right of access Specific ways mentioned in the privacy policy to exercise the right of access Ausloos & Dewitte, 'Shattering One-Way Mirrors. The Right of Access in Practice', IDPL 8(1) available at <https://academic.oup.com/idpl/article/8/1/4/4922871>
  • 19. • Some findings on the follow-up request (answers) Empirical study on the right of access 74% 26% Number of controllers who responded to our initial request Ausloos & Dewitte, 'Shattering One-Way Mirrors. The Right of Access in Practice', IDPL 8(1) available at <https://academic.oup.com/idpl/article/8/1/4/4922871>
  • 20. • Some findings on the follow-up request (delay) Empirical study on the right of access Days controllers took to respond to the initial request (other than confirmation of receipt) Ausloos & Dewitte, 'Shattering One-Way Mirrors. The Right of Access in Practice', IDPL 8(1) available at <https://academic.oup.com/idpl/article/8/1/4/4922871>
  • 21. • Some findings on the follow-up request (information provided) Empirical study on the right of access Information provided following the access request Ausloos & Dewitte, 'Shattering One-Way Mirrors. The Right of Access in Practice', IDPL 8(1) available at <https://academic.oup.com/idpl/article/8/1/4/4922871>
  • 22. • Some findings on the follow-up request (medium) Empirical study on the right of access Medium used to provide the answers Ausloos & Dewitte, 'Shattering One-Way Mirrors. The Right of Access in Practice', IDPL 8(1) available at <https://academic.oup.com/idpl/article/8/1/4/4922871>
  • 23. • Some findings on the follow-up request (misunderstanding) o Many controllers referred to their privacy policy o Some of them mentioned the possibility to edit our profile via the service itself (name, address, etc.) o Others did not know the existence of the right of access at all and questioned us to obtain more information Empirical study on the right of access Ausloos & Dewitte, 'Shattering One-Way Mirrors. The Right of Access in Practice', IDPL 8(1) available at <https://academic.oup.com/idpl/article/8/1/4/4922871>
  • 24. • Some findings on the follow-up request (irritation, bad faith) o Some controllers reacted with suspicion, irritation, reluctance and even bad faith to our access request Empirical study on the right of access (…) All required information is made available in our privacy policy. If you think it’s insufficient or believe ***** is not trustworthy, we’re happy to delete your account and all related data. If you would like to use the site, then you automatically accept our user agreement and privacy policy. (…) We receive this type of question once or twice a year, and it always comes from people who have no intention of being active on *****. So if you have a real concern, we’re happy to explain more info Ausloos & Dewitte, 'Shattering One-Way Mirrors. The Right of Access in Practice', IDPL 8(1) available at <https://academic.oup.com/idpl/article/8/1/4/4922871>
  • 25. • Some findings on the follow-up request (irritation, bad faith) o Some controllers reacted with suspicion, irritation, reluctance and even bad faith to our access request Empirical study on the right of access This type of legislation is the reason we incorporated ***** in the US and not in *****. In reality, real users never ask for this type of information. They just delete their account. Our work is to ***** in the most trustworthy way. We have now deleted your account and have no data on file anymore, apart from this email in a separate customer support system. We have hereby fulfilled your request. And for all clarity: we treat real users and their privacy with the utmost respect. But we don’t spend expensive resources to respond to frivolous requests Ausloos & Dewitte, 'Shattering One-Way Mirrors. The Right of Access in Practice', IDPL 8(1) available at <https://academic.oup.com/idpl/article/8/1/4/4922871>
  • 26. Lack of awareness Lack of organization Lack of motivation Lack of harmonization Empirical study on the right of access Ausloos & Dewitte, 'Shattering One-Way Mirrors. The Right of Access in Practice', IDPL 8(1) available at <https://academic.oup.com/idpl/article/8/1/4/4922871>
  • 27. • GDPR, paradigm shift? o More information to be provided: Article 12(a) DPD v. 15(1) GDPR o Well-defined practical modalities: Article 12(a) DPD v. 12 GDPR o Mandatory appointment of a DPO if certain conditions are met o Introduction of Data Protection by Design (see infra) o Guidance from national supervisory authorities or EDPD o Awaited codes of conducts and certification mechanisms o Heavier fines as a driver o Market-driven incentives o Awareness-raising effect of the GDPR o Civil society initiatives (Usable Privacy, Polisis, Data Rights Finder,…) Empirical study on the right of access A bright future for transparency, the right of access and user empowerment in general? Ausloos & Dewitte, 'Shattering One-Way Mirrors. The Right of Access in Practice', IDPL 8(1) available at <https://academic.oup.com/idpl/article/8/1/4/4922871>
  • 28. Empirically Testing the Right to an Explanation Laurens Naudts
  • 29. • Increasing use of algorithms impacting our daily lives o Both online (e.g. tailored newsfeed on social media, targeted advertising) and offline (e.g. smart cities) • GDPR includes a so-called ‘right to explanation’ of decisions based solely on automated processing. Spread across several provisions: o Transparency requirements: Art. 13(2)f and 14(2)g o Right of access: Art. 15(1)g o Specific provision: Art. 22(3) and Rec. 71 • How this specific provision is interpreted and accommodated in practice by controllers remains largely unknown o Ex ante explanation of how the system works? o Ex post explanation on how a specific decision was reached? Empirical study on the so-called ‘right to explanation’ Algorithmic Transparency and Accountability in Practice (ATAP), KU Leuven CiTiP and MintLab, <https://www.law.kuleuven.be/citip/en/research/projects/ongoing/atap>
  • 30. • During academic year 2018-2019, legal-empirical study on the ‘right to explanation’ of decisions taken by news recommender systems o First-party content providers (e.g. newspaper website) o News aggregators (e.g. Flipboard) o Social media (e.g. Twitter) • Participants: 5 CiTiP researchers, 3 MintLab researchers, 4 students involved in the KU Leuven advanced Master in IP and IT Law Empirical study on the so-called ‘right to explanation’ Desktop research Empirical research Design research Target policy- makers and UI Designers Algorithmic Transparency and Accountability in Practice (ATAP), KU Leuven CiTiP and MintLab, <https://www.law.kuleuven.be/citip/en/research/projects/ongoing/atap>
  • 31. 31 • Complexity • Technical Level • Expert knowledge required in order to understand and translate recommender systems, • Dependent on target audience • Data Level • Explanation requires insight into the entire automated chain • Legal Level • Disparity amongst legal instruments available to the data subject • Data Administration might lead to Indifference or Fatigue • Intellectual Property versus Granularity • Design Level • Different ‘Recommender Purposes’ require Different Explanations Challenges to Explanations and Transparency
  • 32. Fight for your rights! (You’re not alone)
  • 33. • To exercise data subject’s rights: o https://www.mydatadoneright.eu/: helps individuals to exercise their rights (access, erasure, rectification, portability) o https://www.personaldata.io: helps with in-depth/complicated access requests (e.g. Tinder ‘hotness factor’, Facebook Hive data, Uber data, Deliveroo data etc.) • To better understand privacy policies: o https://www.datarightsfinder.org/: summarises privacy policies and assists with the drafting of requests (focus on financial services) o https://www.usableprivacy.org/: summarises human- and machine annotated privacy policies o https://pribot.org/polisis: AI-powered privacy policy analysis Assistance along the way
  • 34. Thanks for your attention! KU Leuven Centre for IT & IP Law (CiTiP) – imec www.law.kuleuven.be/citip

Editor's Notes

  1. Mention link to paper. Mention other initiatives in the field of privacy policy analysis: Jamila Venturini, Luiza Louzada, Marilia Maciel, Nicolo Zingales, Konstantinos Stylianou, Luca Belli, Terms of Service and Human Rights: an Analysis of Online Platform Contracts (Revan 2016) <http://internet-governance.fgv.br/sites/internet-governance.fgv.br/files/publicacoes/terms_of_services_06_12_2016.pdf> accessed 19 October 2017; Brendan Van Alsenoy, Valerie Verdoodt, Rob Heyman, Jef Ausloos, Ellen Wauters, ‘From social media service to advertising network. A critical analysis of Facebook’s Revised Policies and Terms’, 25 February 2015 <https://www.law.kuleuven.be/citip/en/news/item/facebooks-revised-policies-and-terms-v1-2.pdf> access 19 October 2017 Habib H and others, ‘An Empirical Analysis of Website Data Deletion and Opt-Out Choices’ (2018) Kumar P, ‘Privacy Policies and Their Lack of Clear Disclosure Regarding the Life Cycle of User Information’, 2016 AAAI Fall Symposium Series (2016)
  2. In deliberation with these students, a selection of 66 commonly used (across the EU) information society service providers was made.
  3. While a vast majority (80%) of investigated privacy policies were reached in only one or two clicks from the homepage (fig.2), the process was still rated “difficult” to “very difficult” in 31% of instances, The most important reasons in those 31% were: Poor design, e.g. by not following today’s widespread standard of placing a hyperlink to the privacy section at the bottom of every page; The fact that information relating to privacy and data protection were also lumped together with the provider’s general terms and conditions; The fact that information relating to the privacy policy were hidden behind a vaguely or wrongly-titled link such as “Legal terms” or “Cookies policy”.
  4. List of information to be provided for by controllers is not a novelty of the GDPR: Already in Articles 11-12 DPD Now in Articles 13-14 GDPR (expanded list)
  5. Two main questions were assessed: (i) is the right of access specifically mentioned? and (ii) where/how should such a request be sent?: Regarding the first question, it is worth recalling that Articles 10(c) and 11(1)c of Directive 95/46 (Artt. 13(2)b and 14(2)c GDPR) oblige controllers to mention the existence of such a prerogative in their privacy policy. Regarding the second question, it is worth recalling that, while failing to specify the practical modalities for exercising the right of access may not violate Directive 95/46, this is likely to change with the GDPR which obliges controllers to “facilitate the exercise of data subject rights under Articles 15 to 22”. It can therefore reasonably be assumed that providing a clear procedural scheme to data subjects willing to exercise their right of access will be part of controllers’ new set of duties under the GDPR. Art. 12(2) GDPR. The exact meaning of what will constitute a facilitative practice is not clear today. This will be further specified by national DPAs, national courts and the European Data Protection Board once the GDPR enters into force.
  6. Virtually all providers are collecting non-registered users’ personal data as well (even if only through installing cookies or collecting IP addresses when visiting their website). Nevertheless, many only allow an access request to be filed through a contact point made exclusively available to registered users. In such situations finding alternative means of reaching the controller can often be considered unreasonable and disproportionate, not to mention using such alternative means may often prove ineffective.
  7. After five months, when it was decided to bring the empirical study to an end, only 74% of the investigated online service providers had responded, whether with a satisfying answer or not. In other words, 26% of them remained completely silent despite multiple reminders. As a result, the amount of responses being assessed as part of the empirical study was already reduced by a quarter compared to the number of providers contacted,
  8. The delay in responding to queries also appeared problematic in a significant number of cases. 56% of responses arrived more than 30 days after the initial request had been sent (fig.10). At the time of the empirical research, legal time limits depended on national implementing acts. This will, however, no longer be the case once the GDPR enters into force.
  9. Most of the time, either: Basic and therefore not exhaustive enough (contra Art. 15(1) GDPR); Complex and therefore not easily legible (contra Art. 12(1) GDPR).
  10. Confusion between access and erasure;
  11. - Even proactive erasure while not requested;
  12. Lack of awareness (unaware of the existence of DP law, misunderstanding about the basic notions such as ‘personal data’ or the territorial scope of application) Lack of organization (no department or team in charge of DP issues, no procedure for handling data subject’s rights technical constraints due to the way controllers were handling their datasets) Lack of motivation (see example supra) Lack of harmonization (at the time, national implementations of DPD relevant for time limits, exception to data subject’s rights, modalities, etc.), Partially lifted under GDPR, at least when it comes to the modalities surrounding the exercise of data subject’s rights.
  13. More information to be provided (e.g. retention period, existence of rights, right to lodge a compliant with a supervisory authority, information on transfers to third countries, etc.). Well-defined practical modalities (e.g. free of charge, one month time limit, form of request, form of answer, intelligibility) DPO: remedy the lack of awareness DPbD: The empirical study has indeed demonstrated that a significant number of controllers struggled to even identify and locate the requested pieces of information. This could be avoided by developing/reconfiguring their systems in such a way to facilitate the retrieval of relevant data in a secure and individualised way. Indeed, their systems should be designed in a way that enables the exercise of data subject rights. Ideally, this would go as far as to actively facilitate exercising such rights, for example through automating the process and ensuring information is machine-readable and interoperable (cf. Art.20 on the right to data portability). Easier said than done, but cornerstone. Guidance from national SA or EDPB in terms of templates, scenario-based approach (parallel critical infrastructure in air law). Codes of conducts for addressing data subjects’ rights (Art. 40(2)f), certification mechanisms to make it more scalable Yet, looking at how similar instruments have worked in other sectors (e.g. financial industry), some scepticism as to their added value seems warranted.
  14. Mention link to the project. Art. 22(1): automated decision-making = ‘a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her’. Art. 13(2)f and 14(2) (privacy policy; ex ante basis): Existence of automated decision-making; At least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject; In other cases, also possible but not mandatory. Art. 15(1)h (right, ex post basis): Existence of automated decision-making; At least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject; In other cases, also possible but not mandatory. Art. 22(3): Only in case of automated decision-making based on contract or consent, obligation for the controller to implement suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision (+ Rec. 71: obtain an explanation).
  15. Desktop research (legal scholarship; HCI scholarship; interdisciplinary problem formulation) Empirical research (setting-up; conduct; interdisciplinary analysis of the results) Design research (organisation of co-design workshops; creation of interface prototypes; experimentation assessing the impact of the prototypes on users’ comprehension) Recommendations (development of a teaching module; drafting of evidence-based recommendations for regulators, policy-makers and designers; valorisation) Traditional legal desktop research, mapping and summarising the relevant literature on the right to explanation in EU data protection law. OUTPUT: chapter to be incorporated into Deliverable 1   Literature review of research on the design and evaluation of transparent algorithmic systems, documenting best practices and guidelines as input for WP3 OUTPUT: chapter to be incorporated into Deliverable 1   Combine insights gained in Tasks 1.1. and 1.2. so as to come to a more holistic problem statement. OUTPUT: Deliverable 1 - Mapping key challenges to the right to an explanation, an interdisciplinary approach.   Work Package 2. Empirical Research (M3-11). Lead: CiTiP This task consists of all necessary preparations to enable data gathering in T2.2. Drafting list of questions to be investigated, building on T1.3.; identify relevant actors to be investigated; develop online surveys for easy and centralised data gathering. The actual implementation of the scripts and lists of questions will be done in collaboration with PersonalData.io. OUTPUT: surveys, research script.   Conducting the actual empirical research, consisting of contacting online service providers and assess their compliance strategies for accommodating the right to explanation. OUTPUT: excel sheets, comprehensively mapping all gathered data.   Interdisciplinary analysis of the results, to identify key issues. OUTPUT: joint report, co-authored between CiTiP/MintLab).   Work Package 3. Design Research (M7-16). Lead: Mintlab Using input from WP1 and WP2, as well as from a sensitising activity (diary study), two co-design workshops will be organised with 20 end-users. OUTPUT: user experience of algorithmic systems; list of elements that are to be made transparent).   Based on the outcome of T3.1, several interface prototypes will be created that offer different variations of algorithmic transparency. OUTPUT: interactive medium-fidelity prototypes.   Using prototypes created in T3.2, several between-subjects experiments will be set-up to assess the impact of the various interface designs on the users’ comprehension, acceptance and trust of the prototypes. OUTPUT: detailed analysis of impact of interface elements on user ratings. Work Package 4:  
  16. Mention link to the project. Art. 22(1): automated decision-making = ‘a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her’. Art. 13(2)f and 14(2) (privacy policy; ex ante basis): Existence of automated decision-making; At least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject; In other cases, also possible but not mandatory. Art. 15(1)h (right, ex post basis): Existence of automated decision-making; At least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject; In other cases, also possible but not mandatory. Art. 22(3): Only in case of automated decision-making based on contract or consent, obligation for the controller to implement suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision (+ Rec. 71: obtain an explanation).