Legal Development on Data Protection
Data and machine learning model sharing has huge benefits in our society, but improper sharing of data can lead to severe privacy infringement. In this appendix, we give three examples of legal developments to address the data privacy issue. We will review some recent regulations from the European Union, USA, and China. This is to provide the readers with more information regarding data protection laws and regulations, and is not intended to be legal advice.
A.1 DATA PROTECTION IN THE EUROPEAN UNION
In the era of big data and AI, concerns about user privacy and data confidentiality are universal. With more and more serious cases of data leakage and privacy breach [Mancuso et al., 2019], data protection is gaining increasing societal attention and public support. The General Data Protection Regulation (GDPR), introduced by the European Union (EU) in 2016 and came into effect in 2018, is currently the most comprehensive and widely adopted data protection laws. GDPR was enacted to protect people residing within the EU from user privacy and data security breaches in the digital age. It is considered as the greatest change to EU user privacy laws in almost 20 years [GDPR Info, 2019, GDPR.ORG, 2019, GDPR overview, 2019].
GDPR replaced the Data Protection Directive (DPD) 95/46/EC [GDPR Info, 2019, GDPR.ORG, 2019, GDPR overview, 2019] in 2016. The EU gave two years for its member states to make sure that GDPR would be fully implementable in each individual member state, and it officially came into effect on May 25, 2018.
GDPR consists of 99 articles that are grouped into 11 chapters, and 173 recitals with explanatory remarks. An outline of GDPR is given below.
• Chapter I presents general provisions, expressed in four articles (Articles 1–4).
• Chapter II outlines the data protection principles, expressed in seven articles (Articles 5–11).
• Chapter III defines the rights of the data subject, expressed in 12 articles (Articles 12–23), which are grouped into five sections.
• Chapter IV defines the rights and obligations of controllers and processors, expressed in 20 articles (Articles 24–43), which are grouped into five sections.
• Chapter V defines the regulations regarding transfers of personal data to third countries or international organizations, expressed in seven articles (Articles 44–50).
• Chapter VI defines the roles of independent supervisory authorities, expressed in nine articles (Articles 51–59), which are grouped into two sections.
• Chapter VII defines the regulations regarding cooperation and consistency, expressed in 17 articles (Articles 60–76), which are grouped into three sections.
• Chapter VIII defines the remedies, liability, and penalties, expressed in eight articles (Articles 77–84).
• Chapter IX defines provisions relating to specific processing situations, expressed in seven articles (Articles 85–91).
• Chapter X defines delegated acts and implementing acts, expressed in two articles (Articles 92 and 93).
• Chapter XI defines delegated acts and implementing acts, expressed in six articles (Articles 94–99).
The official GDPR document and more details can be found at GDPR document [2016]
Article 4 of GDPR clearly defines the terms used. We highlight some of the most important ones here.
• Personal data: Any information relating to an identified or identifiable natural person (“data subject”), such as physical, physiological, genetic, mental, economic, cultural, or social identity of that data subject.
• Processing: Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
• Cross-border processing: Processing of personal data takes place in more than one member states of EU.
• Profiling: Any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person.
• Pseudonymisation: The processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
• Controller: The natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
• Processor: A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
• Consent of the data subject: Any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
• Personal data breach: A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.
GDPR enforces strong privacy-preservation rules regarding data processing. We provide here some of the important points.
• Highlight I: Increased territorial scope (Article 3 of GDPR)
The increased territorial scope, also known as extraterritorial applicability, represents one of the major changes in GDPR as compared to DPD 95/46/EC. Specifically, GDPR applies to the following cases DLA Piper [2019], GDPR document [2016], and TechRepublic [2019].
(i) | The processing of personal data by an organization established in the EU, regardless of whether the processing takes place inside the EU or not. |
(ii) | The processing of personal data of data subjects residing in the EU by an organization that is not established in the EU, where the processing relates to the offering of goods or services to such data subjects in the EU or monitors the behavior of data subjects, as long as their behavior takes place within the EU. |
(iii) | The processing of personal data of data subjects in the EU by an organization that is not established in the EU, where the processing relates to the monitoring of the behavior of such data subjects in the EU. |
The processing of personal data by an organization that is not established in the EU, but where EU member state law applies by virtue of international public law. |
• Highlight II: Basic principles relating to the processing of personal data (Article 5 of GDPR)
GDPR provides seven basic principles regarding the processing of personal data [GDPR document, 2016, GDPR Info, 2019, GDPR overview, 2019, Kotsios et al., 2019, University of Groningen, 2019].
(i) | Lawfulness, fairness, and transparency: Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject. Transparency implies that any information and communication concerning the processing of personal data must be easily accessible and easy to understand. Clear and plain language needs to be used in this regard. This principle ensures data subjects receive information on the identity of the controllers and the purposes of the processing of personal data. |
(ii) | Purpose limitation: Personal data shall be collected for specified, explicit, and legitimate purposes, and not further processed in a manner that is incompatible with those purposes.1 |
(iii) | Data minimization: Personal data shall be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed. |
(iv) | Accuracy: Personal data shall be accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without any delay. |
(v) | Storage limitation: Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. |
(vi) | Integrity and confidentiality: Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures. |
(vii) | Accountability: The controller shall be responsible for, and be able to demonstrate compliance with, the six data protection principles (i)–(vi). |
• Highlight III: Rights of data subjects (Articles 13–22 of GDPR)
GDPR defines eight rights for data subjects [GDPR document, 2016, GDPR Info, 2019, GDPR overview, 2019, Kotsios et al., 2019].
(i) | The right to be informed: The right to be informed encompasses your obligation to provide “fair processing information,” typically through a privacy notice. It emphasizes the need for transparency over how you use personal data. |
(ii) | The right of access: Data subjects have the right to request access to their personal data and to ask how their data are being used by the company after they have been gathered. The company must provide a copy of the personal data, free of charge and in electronic format, if requested. |
(iii) | The right to rectification: Data subjects are entitled to have personal data rectified if it is inaccurate or incomplete. |
(iv) | The right to erasure (a.k.a. the right to be forgotten): Data subjects have the rights to request the deletion or removal of personal data where there is no compelling reason for its continued processing. |
(v) | The right to restrict processing: Data subjects can request that their data is not used for processing. Their data record can remain in place, but not be used. |
(vi) | The right to data portability: Individuals have the right to transfer their data from one service provider to another. It must happen in a commonly used and machine readable format. |
(vii) | The right to object: Data subjects have the rights to stop the processing of their data for direct marketing. There are no exemptions to this rule, and any processing must stop as soon as the request is received. In addition, this right must be made clear to data subjects at the very beginning of any communication. |
(viii) | Rights in relation to automated decision making and profiling: Data subjects have the rights not to be subject to decision-making when it is based on automated processing and it produces a legal effect or a similarly significant effect on the data subjects. |
• Highlight IV: Data protection by design and by default (Article 25 of GDPR)
Under GDPR, the controller has a general obligation to implement technical and organizational measures (e.g., pseudonymisation and data minimization) to show that it has considered and integrated data protection into the processing activities. The controller shall implement appropriate technical and organizational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed.
• Highlight V: Breach notification (Article 33 of GDPR)
GDPR demands that all organizations report certain types of data breach to the relevant supervisory authority, and in some cases to the individuals affected. Under GDPR, breach notifications are now mandatory in all member states where a data breach is likely to “result in a risk for the rights and freedoms of individuals.” This must be done within 72 hours of first becoming aware of the breach. Data processors are also required to notify their customers, the controllers, “without undue delay” after first becoming aware of a data breach.
• Highlight VI: Administrative fines in respect of infringements of GDPR (Article 83 of GDPR)
Under GDPR, fines for breaches of certain important provisions can amount to up to €20 million or 4% of global annual turnover, whichever is the higher. Fines for breaches of other provisions can amount to up to €10 million or 2% of global annual turnover, whichever is higher. The fines under GDPR are significantly higher than those which can be imposed under current laws (e.g., up to £550,000 under current British laws).
The maximum fine is imposed for the most serious infringements (e.g., not having sufficient customer consent to process data or violating the core of “Privacy by Design” concepts). There is a tiered approach to fines. For example, a company can be fined 2% of its global annual turnover for not having their records in order (cf. Article 28 of GDPR), not notifying the supervising authority and data subject about a breach, or not conducting impact assessment. It is important to note that these rules apply to both controllers and processors, meaning “clouds” are not exempt from GDPR enforcement.
GDPR gives customers, contractors, and employees more power over their data, and less power to the organizations that collect and use such data. Under GDPR, organizations must ensure that data subjects are able to obtain human intervention of autonomous decision-making, as well as to obtain an explanation of the automated decision-making and challenge it. The impact of GDPR is far-reaching. Overall, GDPR is very much in favor of individual data owners. The new regulations that have been implemented allow users to discover who have their data, why they have them, where they are stored and who are accessing them [McGavisk, 2019].
The positive implications of GDPR include [McGavisk, 2019] the following.
• Improved cybersecurity: While GDPR has direct impact on user privacy and data security, it also encourages organizations to develop and improve cybersecurity measures, mitigating the risks of any potential data leakage.
• Standardization of data protection: GDPR ensures that once an organization is GDPR compliant, it is free to operate throughout EU without being required to deal with individual data protection legislation of each member state.
• Brand safety: If an organization can become a trusted holder of information in line with GDPR, it stands a better chance to create a long-lasting and loyal relationship with customers.
The possible negative implications of GDPR are [McGavisk, 2019] as follows.
• Non-compliance penalties: The consequence of non-compliance is overwhelming and it has encouraged organizations to make more efforts to consider their data protection responsibilities inside the EU.
• The cost of compliance: most organizations started by instating a Data Protection Officer to take responsibility for ensuring internal policies were updated and any required processes were implemented.
• Over-regulation: Adding a double opt-in inside a form presents the modern customer with a never-ending message of consent. The continuous presence of opting-in may discourage some customers from registering as they delay the requirement of opting-in until they are absolutely certain of their interest.
The impact of GDPR on the AI industry is profound. For building machine learning models, we face the challenge that our data are stored in isolated silos, but we may be forbidden in many situations to collect and transfer data for processing [Yang et al., 2019]. That is to say, GDPR makes data collection harder, if not impossible. For AI applications with respect to data processing that has direct legal effects on customers, such as credit applications and workplace monitoring, GDPR will limit the usefulness of AI for these purposes. For example, under Article 22 and Recital 71, a business would generally need to undergo the time-consuming process of obtaining and recording explicit consent from all customers involved [Roe, 2018]. Note that, even with federated learning, we need to obtain explicit consent from the users before carrying out federated model training and we need to explain clearly what the data is used for, in order to be compliant with the GDPR.
A.2 DATA PROTECTION IN THE USA
Unlike the EU, there is no single law or regulation for general data protection in the United States of America (USA). In the USA, there are several sector-specific and medium-specific national user privacy and data security laws, including laws and regulations that apply to financial institutions, telecommunications companies, personal health information, credit report information, children’s information, telemarketing, and direct marketing [DLA Piper, 2019, Pierce, 2018]. The USA also has hundreds of user privacy and data security laws among its 50 states and territories, such as requirements for safeguarding data, disposal of data, privacy policies, appropriate use of social security numbers and data breach notification.
Privacy law in the USA is a complex patchwork of national privacy laws and regulations that address particular issues or sectors, and state laws that address privacy and security of personal information, as well as federal and state prohibitions against unfair or deceptive data usage [DLA Piper, 2019].
One representative example is the state of California. California alone has more than 25 state user privacy and data security laws, including the California Consumer Privacy Act (CCPA) enacted in 2018, which will take effect on January 1, 2020 [CCPA, 2019]. CCPA applies across sectors, introduces sweeping definitions and broad individual rights, and imposes substantial requirements and restrictions on the collection, use and disclosure of personal information. CCPA grants consumers the right to know what information is collected and who it is shared with. Consumers will have the option of barring tech companies from selling their data [CCPA, 2019].
The Federal Trade Commission (FTC) of the USA has jurisdiction over most commercial entities and has authority to issue and enforce privacy regulations in specific areas, such as telemarketing, commercial email, and children’s privacy. The FTC can take enforcement actions to protect consumers against unfair or deceptive trade practices, including materially unfair privacy and data security practices. Further, a wide range of sector-specific regulators, such as in health care, financial services, telecommunications, and insurance, also have authority to issue and enforce user privacy and data security regulations, with respect to the entities under their jurisdiction [DLA Piper, 2019].
There has been a boom of AI research and commercialization in China in the past few years, which is partly due to the strong support from the central Chinese government. While making great efforts in promoting AI, the Chinese government has also introduced new laws and regulations for data protection. The Cyberspace Administration of China (CAC) is currently considered as the primary data protection authority in the People’s Republic of China (PRC), and there are also enforcement regulators such as the Ministry of Public Security, and sector-specific regulators that may monitor and enforce data protection issues, such as the People’s Bank of China and China Banking Regulatory Commission that regulate banks and financial institutions [DLA Piper, 2019].
Similar to the USA, there is no single comprehensive data protection law in China. The General Principles of Civil Law of the PRC has generally interpret data protection rights as a right of reputation or right of privacy [DLA Piper, 2019]. Rules and regulations relating to data protection and data security are part of a complex framework and are found across various laws and regulations [DLA Piper, 2019]. The following are a few examples.
The PRC Consumer Rights Protection Law (also known as Consumer Protection Law), which became effective from March 15, 2014, contains data protection obligations that are applicable to most if not all types of businesses that deal with consumers’ personal data. The Consumer Protection Law was further supplemented by the Measures on Penalties for Infringing Upon the Rights and Interests of Consumers, effective from March 15, 2015. In addition, the draft Implementation Regulations for the PRC Consumer Protection Law released on August 5, 2016, reiterate and clarify some of the data protection obligations with regards to consumers’ personal information [DLA Piper, 2019].
The PRC Cyber Security Law, enacted in June 1, 2017, is the first national-level law to address cyber security and data protection. It requires that Internet businesses must not leak or tamper with personal information that they collect and that, when conducting data transactions with third parties, they need to ensure that the proposed contract follow legal data protection obligations [DLA Piper, 2019, Yang et al., 2019].
To implement the PRC Cyber Security Law, on January 2, 2018, China issued the national standard for the protection of personal information (GB/T 35273-2017 Information Technology—Personal Information Security Specification), also known as PIS Specification in short [Mancuso et al., 2019, GB688, 2019], which entered into force on May 1, 2018. This standard (although not legally binding) sets out the best practices that will be expected by regulators who audit companies and enforce China’s existing data protection rules [Mancuso et al., 2019, Pierce, 2018].
The E-Commerce Law of the PRC, which was passed in August 2018 and became effective from January 1, 2019, enforces the requirements to protect personal information in an e-commerce context. This new law, which aims to help clean up China’s reputation as a major source of counterfeit and knock-off merchandise, also addresses other important aspects of ecommerce, including false advertising, consumer protection, data protection and cyber security. The framework of this new law is comprehensive. For example, there are chapters and articles covering data protection and promotion of consumer protection, and the provision of substantial civil and criminal penalties regarding data security breaches. The E-Commerce Law will make it more difficult for e-commerce companies to develop added-value from their customers’ personal data that are collected.
The National Health Commission of the PRC issued the Administrative Measures on the Standards, Security and Service of National Health and Medical Big Data on September 14, 2018 (shorted as the Measures). Under the Measures, health and medical big data refers to health and medical related data that is generated from the process of disease control and prevention or health management. Medical institutions and related entities are responsible organizations for the security and application management of health and medical data. It is required that health and medical data should be securely stored on reliable servers within the territory of China. If health and medical data needs to be transferred overseas, the responsible organizations must undertake a security evaluation procedure when selecting a service agent. The Responsible organizations shall ensure that the agent complies with the relevant requirements and jointly undertake responsibility with the selected agent. Further, China is also in the process of establishing rules for cross-border transfer of personal information and important data via draft Measures for Security Assessment of Cross-border Transfer of Personal Information and Important Data, and draft Guidelines for Data Cross-Border Transfer Security Assessment [Shah et al., 2019].
Finally, as AI is developing fast in China, new data protection laws and regulations are also continuously emerging. For instance, on May 28, 2019, the CAC released the Draft Measures for Data Security Management (shorted as Draft Measures) for public comment. The comment period ended on June 28, 2019. The release of these Draft Measures demonstrates China’s continuing efforts to implement the data protection requirements imposed by China’s Cyber Security Law [Covington and Burling, 2019]. This new Draft Measures incorporate some of personal information protection requirements specified in the Standard and the Draft Amendment (i.e., GB/T 35273-2017), and also introduce a number of new requirements for the protection of “important data,” which is defined as “data that, if leaked, may directly affect China’s national security, economic security, social stability, or public health and security.” These Draft Measures serve as reinforcement of the PRC Cyber Security Law.
1Further processing for the purposes of the public interest, scientific or historical research or statistical purposes is not considered as incompatible with the initial purposes and is therefore allowed [GDPR overview, 2019, Kotsios et al., 2019, University of Groningen, 2019].