Adrien Basdevant, "Opportunities and Limits of Data Regulation"

Presented at the Legal Challenges of the Data Economy conference, March 22, 2019.


ADRIEN BASDEVANT: I took down a lot of notes of what had been said and I will try to also respond to some of these observations.

And I would first like to get back to the title of this panel, which is, I guess, Accountability in Ethics. It's a striking combination of terms, since accountability-- it can be either-- it's really ambivalent terminology. It can be referred to something that is legally required or it can be referred to something that is ethically desired, which is not the same. And ethics, as you all know, plays today-- it is becoming, maybe, let's say, a fashionable topic. We talk a lot about ethics in technology, the ethics of data. We talk a lot about ethics in the digital humanities. And actually, it's good. I mean, who wants unethical technology?

But ethics is only-- and that would be my first point-- a complementary tool. We first need to have a binding set of rules which are law. And ethics is maybe a framework that helps organization to adapt to upcoming challenges. And I will illustrate that point by giving you a really concrete example. You may all heard about privacy by design. It's a provision that is set in the General Data Protection Regulation, the GDPR. It's article 25. So this is something which is now a rule of law. And if you come to violate this provision, the sanction in the GDPR, it's up to 20 million and then 4% of your general turnover.

And so this is something that is now in the law. But actually, privacy by design is an idea-- for those of you who don't know, it's what, as the introduction keynote explained, is a way to develop technological tools that will, by default and by design, protect individual freedoms and fundamental rights.

And privacy by design is not new. It's something that was introduced last century in the '90s, by Ann Cavoukian, who was working at the Data Protection Authority in Ontario, in Canada. So imagine that. This ethical idea, it took more than 20 years to be now a legal binding principle. And this is something that I want you to keep in mind during that presentation.

And this is the reason why today, I'd like to address three main points. The first one is the intent of what data protection regulation should be. And I will get back to what Henri said. I think it's a very important point to keep in mind that privacy is not the only issue at stake.

The second point will be the limits of such regulation. And I will use GDPR, because I believe it's the most robust illustration of data protection today. And I guess that maybe if some of the citizens in the US did not recover from Equifax, it's maybe because they don't have a GDPR, because pollution spills is like data breach. Now, under the GDPR, you have 72 hours to notify such breaches. So I guess maybe this is something that could be also used. But there are some limits, and I will tackle that.

And the third point will be, as I mentioned in the introduction, how ethics can play a complementary role to help us prepare for upcoming challenges. But I again-- emphasis on the fact that it's only a complementary role. It cannot be ethics before the law, or ethics in order to prevent legal rules to apply.

Why? Because you can see that in data is ethics, and you can see that also in other domains, such as corruption, you have a lot of AML, anti-money laundering policy. You have private companies that use more often ethics not to apply the law, because they say, we have set our own set of rules, and so we don't need the-- we don't need the rule of law to apply. We already have our own legislation. And this is something really tricky, because when you come to think about it, there are more people that are using Facebook than people that are inhabitants of the US. It's only 325 million people in the US. And the Constitution of Facebook-- I mean, the terms of services, are for two billion people now. 2.5, but I reduce, because there are 0.5 bots.

SPEAKER 1: 0.05. It's not a lot.

ADRIEN BASDEVANT: Why do we need binding and compulsory principles? Getting back to the title of that panel, we have first, accountability. Accountability is something that is at the core of the General Data Protection Regulation. This is something that is trying to create a sphere of trust so that every stakeholder can really render accounts. This is the-- I get back to this basic idea of accountability. But accountability is something that you can find in any democratic society. In the middle age, the accounting, lex mercator-- in English, it's the law of merchants-- it was the fact for merchant corporations to render accounts. And if they were not following proper accounting, they could engage their corporate responsibility.

So this is something that's accountability that we can date back then in the middle age. And I think it's a good example, actually, [INAUDIBLE] from the College de France, to explain that it's the first time that we link mathematics and law. Because you use some statistic description or some mathematical tools to engage some legal responsibility.

So now you have accountability that is within the GDPR. Accountability is a way to self-- to say to everyone, OK, you can use self-regulation. But at the same time, please document your compliance in some data processing register or in some, as we call it, data protection impact assessment. And I emphasize on the fact this is called "data protection" and not "privacy impact assessment". Because we most often hear "privacy impact assessment".

And I will go back to your point-- this is not privacy. Data protection and privacy are two separate concepts. Why? Just get back to the EU Charter of Fundamental Rights. You have Article VII, privacy. Article VIII, it's data protection. If there are two articles, it means it's not the same social value. And I really agree with Henri on the fact that we tend to focus too much on privacy. And even-- not getting back to your talk, which was very interesting, about more public interest focus-- even if you take the individual interest, as we heard this morning in the opening keynote, it's a lot about discrimination. It's not only about big brother is watching you. Privacy is, of course, really important. And I think we all agree on that. But we have to be up to date. I mean, today, the question is a question of accountability. Accountability of algorithm, to be able to have access to the logic involved in some decision-making process that might be opaque.

And so, I guess, data protection is first and foremost a question of democracy. And so you have to understand that data protection is not a question about privacy only. And you have to keep the fact that there are a lot of misconception. People tend to say-- it can be in some instances, but it's not a general principle-- people tend to say data protection stifle innovation.

You have to remember that this text, which actually date back in the '95 in Europe, and in France, we already have this provision for 40 years, so this is nothing new. It's two concepts at the same time. On the one hand, it's the free flow of information. And on the other hand, it's the protection of personal freedoms. But you have both. It's not only about conferring rights and having obligation. It's also-- because Europe and the European Union tried to create a free trade space and also have a space in which there will be free movement of people-- so it's something that is both the free flow of information and the protection of people.

So what is accountability? Accountability is the fact that you will render accounts to people. And if you don't do so, there is a data protection supervisory authority that can fine you. So those principles have been existing for some years. And among them, you have the privacy by design. A concrete application of privacy by design today, getting back to data minimization, is technology that are called zero knowledge proof, the technology thanks to which a party can prove information to another party without revealing the content of this information. So this is really interesting mechanism. And so, those are all part of how we can both develop the free flow of information and at the same time protecting the rights of people.

What I wanted to say about accountability is, this is something that is a driving force of the GDPR, which is a bit new. But most of the time, there is another misconception about data protection regulation is to say, we need new laws. In France, we like that. We always-- there is a new problem, you use the total net, we need new laws. And actually, what we need is not new laws. We have to enforce rights. And I will tell you later some of the rights that do already exist in the GDPR for ages and that nobody tried to enforce.

So sure, there are some limits. That would be my second point. The limits is that you can always tend to believe that law is lagging behind technology. Technology is evolving so fast, how can you do? And it's true that there are some tensions. You can illustrate that easily by talking about big data. Big data, on the one hand, and GDPR, on the other hand. Big data is big. Data minimization is not big. Big data, as Dominique Cardon explained, you need to collect as much data as possible, and you don't know beforehand what are the purposes. Because maybe, you will find a useful correlation. So it goes against the purpose limitation principle that is at the heart of the GDPR. So you can believe that GDPR is not adapted to this technology.

You can also say, for instance, that GDPR relies on the definition of personal data. And I really like the example of Dominique Cardon about Netflix. You have more than 75 micro raw identifying you. And it's really striking, because today, any kind of data can be personal data. Any and every single one of you-- the way you're sitting, the way you are looking or not looking to that direction, might identify you in a really unique way.

There is a useful and famous statistic that using the census data in the US, you could identify, more than 20 years ago, 90% of the population with only three elements-- a zip code, a birth date, and a job. Imagine now with big data, with the exponential volume of data, how we can-- even with data that do not seem to be personal data-- you might be identifying everyone. And this is really a problem, because maybe the GDPR that should only apply to personal data would apply to any kind of data.

In Europe, in the EU, we used to have all the data protection authority working together as the Working Party 29, which has now become the European Data Protection Board. And they issued an opinion in 2014-- it's opinion 04-2014, for those who are interested-- on the measures of-- on anonymization measures. And it specified the way you can qualify the personal data. You can qualify your personal data if you are able to re-identify someone based on three criteria, either inference, either correlation, either singling out.

And my point is, how can you escape that definition today? And I think the supervisory authority need to address that, because basically, with data that are non-personal, I'm sure that if we just aggregate all of them, we can identify everyone here just the way you sit, the way you et cetera. So this is the first point. I think we should update the legal standard. Why? Because the opinion dates back from 2014. And the state of the art, as far as technology are evolving, is really fast. And in the opinion, there was no word about homomorphic encryption. There was still a question tag around the question of differential privacy. So the DPA, the data protection authorities, need to update their views to be sure to keep pace with the state of art.

And if every data can become personal data, we can even say that every data can become insensitive data, because depending on the Netflix example-- getting back to the Netflix example, for instance, the movies you watch may give some inference on your political beliefs. Maybe you use delivery to order some food, and maybe it will give some inference on your religious beliefs. So we have really to keep that in mind.

And I will use a last example, getting back to some issue that has been approached a lot this morning, is discrimination. I think there is a big loophole in data protection regulation right now. That is, it's not working hand-in-hand with nondiscrimination law. In the GDPR, you have a provision in article 22 that's under certain conditions forbids to use fully automated decision-making that have a legal effect on people or similarly significantly affect them. And that provision only applies to solely automatic decision-making. So if you have a human in the loop, it does not apply.

And also, there is a recital 663 that says that if there are a trade secret or if there is an intellectual property rights, that will not apply. So imagine for a private company that have developed an algorithm, there is actually no way to access it. So getting back to the open question of, should we audit algorithm, is transparency enough, et cetera, I think this is something that is really, really important, because if you want to be able to have accountability, you have to be able for users to have access to useful information about the process. Or you have, maybe, to understand meaningful information about how everything works behind that.

Also, this is maybe a way to illustrate the difference between ethic and law, is that, for that kind of access to algorithm functioning, the GDPR talks about-- I will end in just one last minute-- the GDPR talks about an explanation. And an explanation, when it's not defined in the text, is not a legal qualification. An explanation is not a legal justification. So maybe the data controller will just give you some information about how an algorithm recruited you or did not hire you, but you will not have access to the logic behind. This is something that we should not regulate right now, but this is something we should think ethically right now in order to apprehend that upcoming issue, and at some point, make it binding. Thanks so much.

Big data