Posts

ESRs presenting their research at ACM FAccT

ESRs Maciej Zuziak, Onntje Hinrichs and Aizhan Abdrassulova collaborative work got accepted for this years’ ACM conference on Fairness, Accountability, and Transparency (ACM FAccT) that was held in Chicago from 12-15th of June 2023. Maciej Zuziak presented their article on “Data Collaboratives with the Use of Decentralised Learning – an Interdisciplinary Perspective on Data Governance” during a paper session dedicated to Privacy.

In their collaboration, the ESRs combined their different research interests in law and machine learning, which enabled them to develop an interdisciplinary perspective on challenges posed by different approaches to data governance. The predominant part of the current discussion in EU data policy is centered around the challenging task of creating a data governance framework where data is ‘as open as possible and as closed as necessary’. In their article, the ESRs further elaborate on the concept of data collaboratives powered by decentralised learning techniques as a possible remedy to the shortcomings of existing data governance schemes.

Data collaboratives have been described as new emerging forms of partnerships where privately held data is made accessible for analysis and where collaboration between participants is facilitated to unlock the public good potential of previously siloed data. [1] They thus fit well the EU policy shift that has taken place over the past years. Whilst for decades, the introduction of exclusive property rights was discussed as a potential tool to empower data subjects with regard to ‘their’ data and to facilitate the emergence of data markets, this changed with the 2020 European Data Strategy. Now, the potential of the data economy should be unlocked by facilitating data access and sharing. The authors presented their concept of data collaboratives powered by decentralised learning techniques, which can be used as a tool to reach the goals of the current EU data strategy: facilitate access to data while protecting privacy and intellectual property interests which individuals and companies might have with regard to ‘their’ data. The collaboration between the ESRs thus reflected the idea behind the LeADS project that solutions to existing tensions in the data economy require an interdisciplinary perspective from both law and data science.

The paper can be accessed in the Digital ACM library via this link.

 

[1] 2020. Wanted: Data Stewards – (Re-) Defining the Roles and Responsibilities of Data Stewards for an Age of Data Collaboration

 

Participation of Barbara Lazarotto at the SSN2022

Early Stage Researcher Barbara Lazarotto (ESR 7) presented her research at the 9th biennial Surveillance & Society conference of the Surveillance Studies Network (SSN), hosted by Erasmus University Rotterdam on June 1-3 2022 in Rotterdam, The Netherlands.

As a part of the panel named “Human Rights Europe and Global South” Barbara presented her topic of public-private data sharing under the lens of State Surveillance, analyzing the role of sensors in a Smart City context and how this data can be used to analyze and monitor entire populations.

To do that, Barbara first pointed out the broad concept of “smart cities” which is used for several different purposes and political agendas which might be concerning when it comes to the public expectations of locational privacy. Subsequently, she presented three examples of the use of public-private data sharing in smart city contexts, namely the city of Kortrijk (BE), a bridge installed in Amsterdam (NL), and the city of Enschede (NL). These three examples were able to demonstrate the extensive use of public-private partnerships that constantly track and monitor individuals’ behaviors and movements.

At last, Barbara focused on the fundamental rights that are violated by these sensors, highlighting that the idea that sensors are non-personal data might be misleading since the number of sensors is becoming so high in some cities that is in fact possible to single out an individual. Thus, Barbara pointed out that by violating locational privacy, other rights might be also violated such as freedom of religion and liberty and security. Barbara finalized her presentation by highlighting the necessity to increase citizens’ participation within the decision-making process of smart cities’ public-private partnerships, the requirement for citizen digital literacy, and further regulation of smart city sensors.

The EU Data Act: Towards a data-sharing economy?

Author: Barbara da Rosa Lazarotto

 

There has never been so much data available about individuals. In 2025, the value of the data economy in the EU will be comparable to the GDP of the Netherlands [1]. IoT companies hold large amounts of non-personal data from customers that at first glance might look useless, yet they hold huge relevance.

In the current world, it is almost impossible for an individual not to have any digital footprint in any data-related company, thus we can affirm that data is a form of capital[2] and that we live in a “data economy”. Following this movement, the EU is currently working on a data strategy which consists of several acts such as the Data Governance Act[3] and the most recently proposed Data Act. Today I will focus on the recently proposed Data Act[4].

The Data Act is founded on the premise that data is the lifeblood of economic development[5] and it aims to clarify who can access and use data by removing barriers and providing a safe environment for data sharing.

Currently, we are in the midst of a technological revolution where ordinary tools such as a coffee maker and a vacuum can generate data. Thus, the Data Act aims to determine that consumers can access data generated by these everyday devices and oblige companies to share them with other companies for better use. This will generate innovation, job creation and especially benefit small businesses.

The Data Act also aims to avoid unfair competition when it comes to data sharing by creating a fairness test that prohibits companies from unilaterally imposing unfair contractual clauses related to data sharing. This tool ensures fairness in the allocation of data value among the actors of the data economy.

The Act also addresses my research subject which is public-private data sharing. On this point, in Article 14 the Act states that companies must make data available to the public sector bodies in certain circumstances e.g. in case of emergencies and other exceptional needs. In this context, there is a very good example of data sharing in case of emergencies that could easily have fit under the Data Act provisions.

In August 2005 Hurricane Katrina struck the southeastern United States leaving a widespread of death and damage. Efforts to recover the New Orleans area have gained a powerful ally with the use of data sharing. “Valassis Communications” is a company that mails promotional circulars to virtually every house in the United States. Using this colossal database volunteers were able to apply funds more efficiently and help directly to the individuals who needed it without spending time with house-to-house surveys. Additionally, the nonprofit independent former “Greater New Orleans Data Center”, was able to track the city’s repopulation block by block. [6] Using this data, the Data Center produced several reports such as geographies of poverty, housing developments and abandonment, trace life expectancy and others. These reports can be a great aid to the government to place the efforts to the ones who most need assistance. [7] According to the Data Center, the data available to government officials at the time of the hurricane was an outdated census of New Orleans of the 2000s, thus the data provided by the private company Valassis therefore exemplifies the potential benefits of public-private data sharing in case of emergencies.

The Data Act also is supposed to make it easier for customers to switch between cloud services providers, determining that these providers must ensure easy switching conditions for customers.

Last but not least, the Data Act points out the importance of standardisation and semantic interoperability to data sharing and the formation of a single market of data. Thus, Article 28 refers to several essential requirements that must be complied with to ensure interoperability, e.g. data methodology, data quality, data formats and taxonomies.

With this, it is possible to observe that The Data Act is a good first step forward in the responsible and effective use of data, which will be able to create job opportunities and push the economy with new types of services.

 

 

[1] https://www.inlinepolicy.com/blog/eu-data-act

[2] Jathan Sadowski, ‘When Data Is Capital: Datafication, Accumulation, and Extraction’ (2019) 6 Big Data & Society 205395171882054.

[3] https://eur-lex.europa.eu/legalcontent/EN/TXT/?uri=CELEX%3A52020PC0767

[4] https://digital-strategy.ec.europa.eu/en/library/data-act-proposalregulation harmonised-rules-fair-access-and-use-data

[5] COM (2020) 66 final p.2

[6] https://spectrevision.net/2008/08/22/junk-mail-pings-new-orleans/

[7] https://www.datacenterresearch.org/maps/reference-maps/

 

 

 

Public-private data sharing from “dataveillance” to “data relevance”

Data sharing has become a common practice between public and private entities all over the world. The reasons for this are broad and varied, ranging from making more data available for data-rich scientific research to allowing law enforcement agencies to pursue criminal activities with greater precision. While data collection remains a fundamental activity, as it enables an ever-growing amount of data to exist, the sharing of data and its subsequent repurposing can enable further major economic and social value. A single data controller can collect so little information in comparison to the data that can be made available from several third parties.

Regulators have taken notice of this and are planning accordingly to reap the supposed benefits of the data economy by further enabling and pushing for the sharing of data. In this sense, the recent European Strategy for Data puts this practice at its core, envisaging an environment of trusted data-driven innovations fueled by data sharing between digital platforms, governments, and individuals alike.[1]

In the field of law enforcement, the amount of data available also caught the attention of competent authorities a long time ago, as it allows for more ‘smart’ crime prevention yet at the expense of more privacy-invasive practices.[2] In this respect, the increasing amount of available data is highly interesting for the deployment of a forever-expanding surveillance apparatus by public authorities.[3] This has led to the emergence of what has been described as ‘dataveillance’[4] and its considerable expansion in the last decades, rooting itself in our society to become a troublesome practice.[5] In this context, the private sector makes available, either voluntary or not, a considerable portion of their data to law enforcement agencies,[6] with limitations.[7]

Data sharing can also involve access to public sector generated data by private businesses. In this respect, the open data movement has been for years pushing in this direction and, certain cases, triggering legislation that reduces the obstacles to making such data available for re-use by, for example, companies. While it is possible to find certain regulations that either foster or mandate such data sharing practices, all of them must be subject to general applications rules, such as the General Data Protection Regulation (GDPR).

As mentioned above, regulators intend to foster data sharing between private and public sectors. As the recent European Strategy for Data points out, certain kinds of information, such as that generated within smart cities, can provide an interesting field where public-private data sharing would be beneficial to society and individuals.[8] For example, data generated by the financial services industry provides a considerable amount of information, both in quantity and quality.[9] Nevertheless, a single payment can provide a sensitive insight into an individual’s life, from health data -for example from recurring pharmacy expenses- up to religious information -as in the case of monthly contributions to a religious organization-. This could be overcome by sharing certain information about payments in an aggregated manner, for example merely their time and date, which could help in understanding citizens movements in a city and plan city’s policies accordingly to accommodate for citizens’ benefit.[10]

But how can we avoid that these public-private data-sharing activities end up contributing to more ‘dataveillance’? While the GDPR covers a significant amount of data processing activities, we also need to involve other relevant pieces of legislation that contemplate public authorities, particularly law enforcement agencies, such as the Law Enforcement Directive. While the obligations and rights within the relevant legal framework diverse, it is possible to highlight that most of these activities should be conducted following some common principles.

Among these we point out that only accurate and relevant data should be used for a particular and specific purpose. In this respect, we can ask when the data are relevant enough for the intended purposes; in other words, we need to question when we have “good enough data” [11] for the intended public-private data sharing. By doing so, we can assess whether compliance with these rules has been reached. Through this, we can effectively implement the principles of data accuracy and minimization, alongside other applicable and relevant principles.

Understanding how these rules are effectively applied to, and guide, these public-private data sharing practices is crucial as regulators seek to foster them. For example, the European Union is currently working on a proposal for a Data Governance Act, which introduces data sharing services,[12] as well as data altruism.[13] Both of these categories, with their particularities, seek to foster data-sharing activities between private and public entities alike. Data protection watchdogs have raised their concerns regarding the current wording and extent of this proposal.[14] Among these concerns, the lack of clear integration between them and, in particular, the GDPR was highlighted as a troublesome issue.

Public-private data sharing activities are not likely to stop. On the contrary, the current data strategy for the European Union is to further expand the sharing of data in an automated manner using APIs, such as in the case of open finance.[15] The question that remains open on this front is whether these new data governance schemes can make us move from a dataveillance perspective towards a data relevance scenario. Within this context, we intend to explore this broad question in the different crossroads that this topic is present in the LeADS project and seek ideas to tackle the matter in an interdisciplinary manner.

Authors: Prof. dr. Paul de Hert, Prof. dr. Gloria González Fuster, Andrés Chomczyk Penedo

[1] ‘Citizens will trust and embrace data-driven innovations only if they are confident that

any personal data sharing in the EU will be subject to full compliance with the EU’s strict

data protection rules’ (see ‘Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions: A European Strategy for Data’ (European Commission 2020) COM(2020) 66 final.)

[2] David Wright and others, ‘Sorting out Smart Surveillance’ (2010) 26 Computer Law & Security Review 343.

[3] Margaret Hu, ‘Small Data Surveillance v. Big Data Cybersurveillance’ (2015) 42 Pepperdine Law Review 773.

[4] Roger Clarke, ‘Information Technology and Dataveillance’ (1988) 31 Communications of the ACM 498.

[5] Roger Clarke and Graham Greenleaf, ‘Dataveillance Regulation: A Research Framework’ (2017) 25 Journal of Law, Information and Science 104.

[6] David Lyon, Surveillance After Snowden (John Wiley & Sons 2015).

[7] ‘Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions: A European Strategy for Data’ (n 1).

[8] ibid.

[9] V Ferrari, ‘Crosshatching Privacy: Financial Intermediaries’ Data Practices Between Law Enforcement and Data Economy’ (2020) 6 European Data Protection Law Review 522.

[10] Ine van Zeeland and Ruben D’Hauwers, ‘Open Banking Data in Smart Cities’ (VUB Chair Data Protection on the Ground – VUB Smart Cities Chair – imec-SMIT-VUB 2021) Round table report <https://smit.vub.ac.be/wp-content/uploads/2021/02/Report-roundtable-Open-Banking-Smart-Cities_def.pdf> accessed 6 September 2021.

[11] Angela Daly, Monique Mann and S Kate Devitt, Good Data (Institute of Network Cultures 2019).

[12] According to the current wording of the proposal, under this service, we can include: (i) intermediate between data holders and data users for the exchange of data through different means; (ii) intermediate between data subjects and data users for the exchange of data through different means for the purpose of exercising data rights provided for in the GDPR, mainly right to portability; and (iii) provide data cooperatives services, i.e. negotiate on behalf of data subjects and certain data holders terms and conditions for the processing of personal data.

[13] According to the current wording of the proposal, under this term, we are referring to “(…) the consent by data subjects to process personal data pertaining to them, or permissions of other data holders to allow the use of their non-personal data without seeking a reward, for purposes of general interest, such as scientific research purposes or improving public services, such as scientific research purposes or improving public services”.

[14] ‘Joint Opinion 03/2021 on the Proposal for a Regulation of the European Parliament and of the Council on European Data Governance (Data Governance Act)’ (European Data Protection Board – European Data Protection Supervisor 2021) Joint Opinion 03/2021 <https://edpb.europa.eu/sites/edpb/files/files/file1/edpb-edps_joint_opinion_dga_en.pdf> accessed 25 March 2021.

[15] ‘Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions on a Digital Finance Strategy for the EU’ (European Commission 2020) Communication from the Commission (2020) 591 <https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:52020DC0591&from=EN> accessed 1 December 2020.