Research paper

koti
WeighingtheImpact.pdf

16 C O M M U N I C AT I O N S O F T H E A C M | N O V E M B E R 2 0 1 8 | V O L . 6 1 | N O . 1 1

news

I M

A G

E B

Y M

I X

M A

G I

C

with the advertisements that you ac- cept. And I think people are becoming more and more aware of the fact that their personal data do have a value.”

Says Alison Cool, assistant profes- sor of anthropology at the University of Colorado, Boulder, “There are a lot of questions and ambiguities that must be addressed, but it’s clear that GDPR will significantly change the data landscape.”

While the U.S. and a number of other countries have adopted an opt- out approach to data collection—es- sentially, a consumer must instruct a company if he or she doesn’t want his or her data used or shared in cer- tain ways—Europe has implemented a more restrictive opt-in approach. However, GDPR takes this concept to a new and previously untested level. Besides giving consumers near-total control of their data, they can have

W H E N T H E E U R O P E A N

U N I O N (EU) General Data Protection Regu- lation (GDPR) went into effect on May 25,

2018, it represented the most sweeping effort yet to oversee the way businesses collect and manage consumer data. The law, established to create consis- tent data standards and protect EU citizens from potential privacy abus- es, sent ripples—if not tidal waves— across the world.

GDPR gives European citizens great- er control of their data while establish- ing strong penalties for businesses that do not comply. What is more, any data that involves EU citizens or touch- es EU companies is covered by GDPR. The initiative replaces an older data privacy initiative called the Data Pro- tection Directive 95/46/EC, which was introduced in 1995.

The implications and ramifications are enormous—and the initiative’s reach is global. GDPR will change ev- erything from the way data collection takes place to the way corporate data- bases are designed and used. It also will potentially change the way research and development takes place, and will impact cybersecurity practices, as well as introducing a practical array of challenges revolving around sites and repositories where groups share com- ments, information, and other data.

“It’s a groundbreaking initiative,” says Brett M. Frischmann, Charles Widger Endowed University Professor in Law, Business, and Economics at Vil- lanova University, and Affiliate Scholar of the Center for Internet and Society at Stanford Law School. “Europe has flipped a switch and prompted recon- sideration of how data can be collected, managed, and used.” The EU takes the position that a person owns his or her data, and their privacy is a fundamen-

tal right that is “basic to the integrity of a human being,” Frischmann adds.

Data Wars Digital technology has inexorably changed the face of privacy. Today, there is a perception—and plenty of evidence to support it—that personally identifiable information (PII) is under assault as never before. A Pew Research Center survey found that in the U.S., 93% of adults say being in control of who can get information about them is important; 90% say controlling what information is collected is important. The figures in Europe and other parts of the world are the same.

In a 2016 interview in Recode, Eu- rope’s Competition Commissioner Margrethe Vestager said, “There is no such thing as a free lunch. You pay with one currency or another—either cents, or you pay with your data, or you pay

Weighing the Impact of GDPR The EU data regulation will affect computer, Internet, and technology usage within and outside the EU; how it will play out remains to be seen.

Society | DOI:10.1145/3276744 Samuel Greengard

N O V E M B E R 2 0 1 8 | V O L . 6 1 | N O . 1 1 | C O M M U N I C AT I O N S O F T H E A C M 17

news

their data removed from a database or online source at any time and, for those who believe they have been wronged, seek an investigation and join a class-action lawsuit.

Strict rules about how organizations collect, manage, and process data any- where in the world are only the starting point for GDPR. It allows consumers to file complaints with each nation’s na- tional data protection authority, which will investigate the claim. A company that violates GDPR could face a fine of up to 4% of its worldwide annual revenue from the previous fiscal year. The regulation also mandates consum- ers can remove themselves from a da- tabase at any time and take their data elsewhere—to a new bank, a new mo- bile provider, or a new content service.

Not surprisingly, data scientists, le- gal experts, and others have radically different perspectives of GDPR. Says Daniel Le Métayer, Senior Research Scientist at Inria (the French Institute for Research in Computer Science and Automation) and a leading authority on data protection and privacy, “GDPR could be a great achievement if prop- erly implemented. It could establish a more concrete framework for data use and protection and help reduce the misuse of personal information.”

Adds Cool: “It potentially changes the balance of power. GDPR takes aim at the widely used model of forced con- sent, which is built on the idea that in exchange for various services, there is an implicit agreement to give up your personal data.”

However, there are also plenty of potential pitfalls likely to result from GDPR. Le Métayer says the complexity of GDPR, and the way regulators and courts interpret some of the intention- ally vague wording, could create such rigid restrictions that the initiative be- comes ineffective over time.

There is also strong opposition in the corporate arena, where the focus is on profiting from data rather than stemming the wave of abuses and breaches. Attorneys such as Tanya Forsheit, partner and chair of the Privacy & Data Practice Group at New York City-based law firm Frankfurt Kurnit Klein & Selz, demonstrate the level of frustration about changes as a result of GDPR. Forsheit describes many GDPR provisions as onerous,

and suggests they could be more ef- fectively addressed through self- regulation. “It is simply not possible to be 100% compliant. GDPR forces or- ganizations to devote significant time and expense to comply with standards that are not consistent with the way business is done online,” she argues.

Data Gets Personal To be sure, the practical challenges of complying with GDPR are significant, especially as digital technology and ar- tificial intelligence (AI) advance.

Personal assistants such as Siri, Alexa, and Cortana add layers of com- plexity to the issue of PII. Robo-advi- sors, chatbots, recommendation ser- vices, and other automated systems introduce additional compliance chal- lenges. All these systems collect and store data about individuals. In the past, there was no need to determine where a person lived; under GDPR, that could amount to crucial informa- tion that would need to be added to each individual data point related to an individual. Even human resources systems, payroll systems, and similar repositories of personal data could be significantly impacted by the regula- tion; all may require algorithmic audit- ing processes that revolve around “data protection by design.”

Companies already are voicing con- cerns that GDPR could inhibit innova- tion by limiting how data is handled in apps, databases, and online ser- vices—and how data is used for adver- tising and other purposes. The issue could impact autonomous vehicles,

GDPR allows consumers to remove themselves from a database or online source at any time; companies violating GDPR face fines of up to 4% of their global annual revenues.

Milestones

Håstad Receives Knuth Prize The 2018 Donald E. Knuth Prize has been awarded to Johan Torkel Håstad of Sweden’s KTH Royal Institute of Technology for his sustained record of milestone breakthroughs at the foundations of computer science, with major impact on areas including optimization, cryptography, parallel computing, and complexity theory.

The Knuth Prize is jointly bestowed by the ACM Special Interest Group on Algorithms and Computation Theory (SIGACT) and the IEEE Computer Society Technical Committee on the Mathematical Foundations of Computing (TCMF). The Prize is named for Donald Knuth of Stanford University, the “father of the analysis of algorithms,” and is bestowed in recognition of outstanding contributions to the foundations of computer science by individuals for their overall impact in the field over an extended period.

A professor of computer science at the KTH Royal Institute of Technology in Stockholm, Håstad received his bachelor’s degree in mathematics from Stockholm University, his master’s degree in mathematics from Sweden’s Uppsala University, and his doctorate in mathematics from the Massachusetts Institute of Technology.

Håstad’s works resolved long-standing problems central to circuit lower bounds, pseudorandom generation, and approximability. He also introduced transformative techniques that have fundamentally influenced much of the subsequent work in these areas.

Previous honors bestowed on Håstad include the ACM Doctoral Dissertation Award (1986), the Gödel Prize for outstanding papers on theoretical computer science (1994 and 2011), and the Göran Gustafsson Prize for outstanding achievement in mathematics.

18 C O M M U N I C AT I O N S O F T H E A C M | N O V E M B E R 2 0 1 8 | V O L . 6 1 | N O . 1 1

news

robotics, and a variety of systems that rely on AI. Organizations may ulti- mately need to keep two separate da- tabases—one for the EU and one for elsewhere—or find ways to differenti- ate records in databases.

In addition, GDPR might add a layer of complexity atop an already complex European privacy framework. For ex- ample, more than 2.4 million individu- als have already submitted “right to be forgotten” requests so they can be expunged from Google searches. Cool says some people believe the law will “hinder innovation by making organi- zations more risk averse.”

Depending on who opts in, who opts out, and what data appears or disappears from a database or oth- er source, the situation could be- come even more problematic. As Frischmann puts it, “What happens when one person at a group meeting or part of a community invokes a pri- vacy clause but it affects everyone?”

The greatest challenge may be en- suring companies in the EU and be- yond adhere to the spirit of GDPR. Many companies lack expertise in how they will need to implement and man- age data under GDPR; they also do not know the levels of expertise or staffing required to conduct crucial data protec- tion impact assessments.

“If businesses view GDPR as a checklist activity rather than an issue that requires ethical reflection—and if they look to exploit loopholes and skirt the intent of the law—the long-term outcome could be negative,” Cool says. “When you look at groups like bio- ethicists and physicians, the starting point for discussion is how to do the right thing for society; it’s not about avoiding getting sued or how to side- step legal and ethical provisions.”

Cracking the Code on Privacy How GDPR will play out is anyone’s guess. The initiative could revolution- ize the data landscape—or it may fiz- zle into a footnote in digital history. It could also change the way the Internet works and how data and information flow across sites, clouds, and more.

One wild card is how consumers re- act to GDPR. If large numbers of peo- ple revoke access to PII or challenge the way companies use their data, busi- nesses may reach an inflection point

where they will have to rethink the fundamental way they approach and navigate data management, or reevalu- ate the fundamental value of data and how it is monetized. GDPR also might mandate new tracking and data man- agement tools, such as blockchain.

Le Métayer argues that businesses need to address complex issues such as conducting data protection impact assessments and implementing data portability, which requires agree- ing on standard data formats. Other sources of uncertainty include the compatibility of GDPR with big data, and the rules concerning automated decision-making. Article 22 of GDPR states individuals have the right to “not be subject to a decision based solely on automated processing, in- cluding profiling.” GDPR also allows consumers to contest a decision, but it is not clear what type of explanations should be provided to make this right effective. “The issue is also technical, since providing useful explanations about certain types of algorithms is a challenge in itself,” he says.

GDPR could also prompt companies to directly pay for PII data, Frischmann says. “If the power balance shifts and consumers gain leverage over their personal data, companies may look to provide incentives, discounts, and di- rect compensation for the use of data. It could flip the current model and even lead to entirely different ways to approach data,” he explains.

In fact, a recent study conducted by digital marketing agency Syzgy in Germany, which polled 1,000 respon- dents each from the U.S., U.K., and Germany, found citizens in all three countries would sell their data for be- tween €130 (about US$150) and €140 (US$165) per month.

One thing is certain: amid a litany of security breaches and breakdowns, from Equifax to Cambridge Analytica, there is a growing focus on data pri- vacy. What is more, other government entities are exploring ways to control how data is collected, managed, and used. In the U.S., the State of Vermont enacted a law in May 2018 that estab- lished standards for data. California is now eyeing an initiative—the Califor- nia Consumer Privacy Act—that could extend many of the same GDPR pro- tections to the state. Other countries, from Australia to Japan, have also re- vised data standards and privacy con- trols in recent years.

Frischmann says GDPR, above all else, represents the ongoing battle be- tween unfettered capitalism and hu- man dignity. The whole point of it is that it is not designed to be an efficient regulation for businesses. “To some ex- tent, it’s about a person’s ability to exer- cise their own free will about their life.”

Cool says that, in the end, it is vital to strike a balance between privacy and laws. “We need more research that looks carefully at how personal data is collected and by whom, and how those people make decisions about data pro- tection. Policymakers should use such studies as a basis for developing em- pirically grounded, practical rules.”

Further Reading

Wachter, S., Mittelstadt, B.D., and Russell, C. Counterfactual Explanations Without Opening the Black Box: Automated Decisions and the GDPR, Harvard Journal of Law & Technology, 31 (2), 2018. November 2017. https://papers.ssrn.com/sol3/papers. cfm?abstract_id=3063289

Casey, B., Farhangi, A., and Vogl, R. Rethinking Explainable Machines: The GDPR’s ‘Right to Explanation’ Debate and the Rise of Algorithmic Audits in Enterprise, Berkeley Technology Law Journal. February 19, 2018. https://papers.ssrn.com/sol3/ papers.cfm?abstract_id=3143325

Kaltheuner, F. and Bietti, E. Data is power: Towards additional guidance on profiling and automated decision-making in the GDPR. Information Rights, Policy & Practice Journal, Vol. 2, No. 2. 2017. https:// journals.winchesteruniversitypress.org/ index.php/jirpp/article/view/45

Samuel Greengard is an author and journalist based in West Linn, OR, USA.

© 2018 ACM 0001-0782/18/11 $15.00

Above all else, GDPR represents the ongoing battle between unfettered capitalism and human dignity.