About | HeinOnline Law Journal Library | HeinOnline Law Journal Library | HeinOnline
LOG IN
LOG IN

7 Int'l Data Priv. L. 1 (2017)

handle is hein.journals/intldatpc7 and id is 1 raw text is: International Data Privacy Law, 2017, Vol. 7, No. 1 Machine learning with personal data: is data protection law smart enough to meet the challenge? Christopher Kuner*, Dan Jerker B. Svantesson**, Fred H. Cate***, Orla Lynskey***, and Christopher Millard*** Almost seven decades after Alan Turing conceived of 'intel- ligent machines', there has recently been a surge of interest in machine learning and algorithmic decision-making. The popular imagination has been stirred by high-profile events such as the victory of IBM's supercomputer, Watson, in the US quiz show Jeopardy, and Google Deepmind's deep learning program AlphaGo's victory in the ancient Chinese game Go. Meanwhile, machine learning processes are be- ing deployed in contexts as varied as fraud prevention, medical diagnostics, and the development of autonomous vehicles. The underlying technologies are increasingly ac- cessible to data controllers, with major cloud computing providers including Amazon, IBM, Google, and Microsoft offering low-cost, scalable, cloud-supported machine learn- ing services and tools, with a particular focus on data min- ing and other types of predictive analytics. Regulation of 'automated individual decisions' is not new to data protection law and was addressed explicitly in the 1995 Data Protection Directive (DPD).1 The 2016 General Data Protection Regulation (GDPR) extends the protection against decisions made solely on the basis of automated processing to cover not only profiling of data subjects but also any other form of automated pro- cessing.2 All of the data protection principles apply to such processing, but perhaps most significant are the re- quirements of the first principle, which stipulates that processing of personal data must be lawful, fair, and transparent. Although that may appear straightforward, the practical application to machine learning of each el- ement of this principle is likely to be challenging. * Editor-in-Chief. ** Managing Editor. *** Editor. 1 Directive 95/46/EC, art 15 and Recital 41. For a helpful analysis of these provisions, see Lee Bygrave, 'Automated Profiling, Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling', (2001) 17(1) Computer Law & Security Reviewl7. 2 Regulation (EU) 2016/679, art 22 and Recital 71. art 22 GDPR appears to be broader in scope than art 15 DPD because the GDPR covers 'a Article 22(1) of the GDPR gives data subjects the right not to be subject to decision-making, including profiling, based solely on automated decision-making that produ- ces legal effects concerning them or similarly affecting them. Personal data used for automated decisions, in- cluding profiling, should only be collected for specified, explicit, and legitimate purposes, and subsequent pro- cessing that is incompatible with those purposes is not permitted. Machine learning is data driven, typically in- volving both existing data sets and live data streams in complex training and deployment workflows.3 It may be difficult to reconcile such dynamic processes with pur- poses that are specified narrowly in advance. In terms of lawfulness, Article 22(2) of the GDPR does contain some specific exemptions from the prohi- bition on automated decision-making, including con- tractual necessity and consent. In those cases, however, Article 22(3) provides that the data controller 'shall im- plement suitable measures to safeguard the data sub- ject's rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision'. Again, this may look simple, but in practice how can informed consent be obtained in relation to a process that may be inherently non- transparent (a 'black box')? Even if an algorithmic pro- cess can in theory be explained, what if it is impossible to do that in a way that is intelligible to a data subject? To be sufficiently 'specific', will a separate consent be re- quired for each situation in which personal data are to decision based solely on automated processing, including profiling' whereas the DPD covers only 'a decision ... which is based solely on au- tomated processing of data intended to evaluate certain personal aspects relating to him, such as his performance at work, creditworthiness, reli- ability, conduct, etc'. 3 Singh and others, 'Responsibility and Machine Learning: Part of a Process', paper delivered at the MCCRC Symposium on Machine Learning: Technology Law & Policy <https://queenmaryuniversit907- public.sharepoint.com/Pages/Symposium-2016.aspx> © The Author 2017. Published by Oxford University Press. All rights reserved. For Permissions, please email: journals.permissions@oup.com 1

What Is HeinOnline?

HeinOnline is a subscription-based resource containing thousands of academic and legal journals from inception; complete coverage of government documents such as U.S. Statutes at Large, U.S. Code, Federal Register, Code of Federal Regulations, U.S. Reports, and much more. Documents are image-based, fully searchable PDFs with the authority of print combined with the accessibility of a user-friendly and powerful database. For more information, request a quote or trial for your organization below.



Short-term subscription options include 24 hours, 48 hours, or 1 week to HeinOnline.

Purchase Access

Contact us for annual subscription options:

Contact Us

Already a HeinOnline Subscriber?

Log In

profiles profiles most