About | HeinOnline Law Journal Library | HeinOnline Law Journal Library | HeinOnline

7 Int'l Data Priv. L. 1 (2017)

handle is hein.journals/intldatpc7 and id is 1 raw text is: 


International Data Privacy Law, 2017, Vol. 7, No. 1


Machine learning with personal data: is data

protection law smart enough to meet the

challenge?

Christopher Kuner*, Dan Jerker B. Svantesson**, Fred H. Cate***,
Orla Lynskey***, and Christopher Millard***


Almost  seven decades after Alan Turing conceived of 'intel-
ligent machines', there has recently been a surge of interest
in machine learning and algorithmic decision-making. The
popular imagination has been stirred by high-profile events
such as the victory of IBM's supercomputer,  Watson,  in
the US quiz show  Jeopardy, and Google Deepmind's  deep
learning program AlphaGo's  victory in the ancient Chinese
game  Go. Meanwhile,  machine  learning processes are be-
ing deployed  in contexts as varied as fraud prevention,
medical diagnostics, and the development of autonomous
vehicles. The underlying technologies are increasingly ac-
cessible to data controllers, with major cloud computing
providers including Amazon,  IBM, Google, and  Microsoft
offering low-cost, scalable, cloud-supported machine learn-
ing services and tools, with a particular focus on data min-
ing and other types of predictive analytics.
   Regulation of 'automated  individual decisions' is not
new  to data protection law and was  addressed explicitly
in the 1995 Data Protection Directive (DPD).1  The 2016
General  Data  Protection  Regulation  (GDPR)   extends
the protection against decisions made solely on the basis
of automated  processing  to cover not only profiling of
data subjects but also any other form of automated pro-
cessing.2 All of the data protection principles apply to
such processing, but perhaps most  significant are the re-
quirements  of the first principle, which stipulates that
processing  of personal data  must  be lawful, fair, and
transparent. Although  that may  appear straightforward,
the practical application to machine learning of each el-
ement  of this principle is likely to be challenging.

*   Editor-in-Chief.
**  Managing Editor.
*** Editor.
1   Directive 95/46/EC, art 15 and Recital 41. For a helpful analysis of these
    provisions, see Lee Bygrave, 'Automated Profiling, Minding the Machine:
    Article 15 of the EC Data Protection Directive and Automated Profiling',
    (2001) 17(1) Computer Law & Security Reviewl7.
2   Regulation (EU) 2016/679, art 22 and Recital 71. art 22 GDPR appears to
    be broader in scope than art 15 DPD because the GDPR covers 'a


   Article 22(1) of the GDPR gives data subjects the right
not to be subject to decision-making, including profiling,
based solely on automated  decision-making  that produ-
ces legal effects concerning them  or similarly affecting
them.  Personal data used  for automated   decisions, in-
cluding profiling, should only be collected for specified,
explicit, and legitimate purposes, and  subsequent  pro-
cessing that is incompatible with those purposes  is not
permitted. Machine  learning is data driven, typically in-
volving both  existing data sets and live data streams in
complex  training and deployment  workflows.3 It may  be
difficult to reconcile such dynamic processes with pur-
poses that are specified narrowly in advance.
   In terms  of lawfulness, Article 22(2) of the GDPR
does contain  some  specific exemptions from  the prohi-
bition on  automated   decision-making,  including con-
tractual necessity and consent. In those cases, however,
Article 22(3) provides that the data controller 'shall im-
plement  suitable measures  to safeguard  the data  sub-
ject's rights and freedoms  and  legitimate interests, at
least the right to obtain human intervention on the part
of the controller, to express his or her point of view and
to contest the  decision'. Again, this may look  simple,
but in practice how  can informed   consent be obtained
in relation to a process  that may  be  inherently non-
transparent (a 'black box')? Even if an algorithmic pro-
cess can in theory be explained, what if it is impossible
to do that in a way that is intelligible to a data subject?
To be sufficiently 'specific', will a separate consent be re-
quired for each  situation in which personal data are to

    decision based solely on automated processing, including profiling'
    whereas the DPD covers only 'a decision ... which is based solely on au-
    tomated processing of data intended to evaluate certain personal aspects
    relating to him, such as his performance at work, creditworthiness, reli-
    ability, conduct, etc'.
3   Singh and others, 'Responsibility and Machine Learning: Part of a
    Process', paper delivered at the MCCRC Symposium on Machine
    Learning: Technology Law & Policy <https://queenmaryuniversit907-
    public.sharepoint.com/Pages/Symposium-2016.aspx>


© The Author 2017. Published by Oxford University Press. All rights reserved. For Permissions, please email: journals.permissions@oup.com


1

What Is HeinOnline?

HeinOnline is a subscription-based resource containing thousands of academic and legal journals from inception; complete coverage of government documents such as U.S. Statutes at Large, U.S. Code, Federal Register, Code of Federal Regulations, U.S. Reports, and much more. Documents are image-based, fully searchable PDFs with the authority of print combined with the accessibility of a user-friendly and powerful database. For more information, request a quote or trial for your organization below.



Short-term subscription options include 24 hours, 48 hours, or 1 week to HeinOnline.

Contact us for annual subscription options:

Already a HeinOnline Subscriber?

profiles profiles most