As 2017 draws to a close, the May 25, 2018 compliance deadline for the EU General Data Protection Regulation (GDPR) is looming. Companies, law firms, and legal service providers with clients in Europe have likely already begun risk assessments and data mapping projects. For those who haven’t, it will be shorter holiday vacations or very busy Januaries.
Congress is also starting to scrutinize how companies use and protect the personal information of their users and customers. Recent high-profile data breaches impacting the personal information of millions of Americans—not to mention reports of foreign influence in the presidential election using social media platforms—have led lawmakers to ask probing questions. One topic being explored is how algorithms make use of personal information and data generated by users.
On November 29, 2017, the U.S. House of Representatives held a joint hearing with the Communications and Technology Subcommittee and the Digital Commerce and Consumer Protection Subcommittee entitled, “Algorithms: How Companies’ Decisions About Data and Content Impact Consumers.” According to the press release, the hearing planned to examine how actions taken by tech companies and online platforms affect consumer privacy and choice. The House also intended to give lawmakers the opportunity to learn and ask questions about the “impacts of online algorithms, advertising, privacy policies, consumer data flows, content regulation practices, and more.” In other words, Congress is taking an interest in data science and how applications of AI—such as machine learning—impact consumers.
But what does this have to do with GDPR?
The GDPR is expected to impact applications of data science due to limits it places on automated data processing and consumer profiling. Article 22 of the GDPR states that “the data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.” There’s a lot to unpack in that sentence, but it certainly indicates an intent to rein in certain types of data science applications.
Under the GDPR, data processing may be characterized as “profiling” when it involves automated processing of personal data and using that personal data to evaluate certain personal aspects relating to a person. Examples may include analyzing or predicting “aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.” Many interpretations have been proposed, but the consensus is that it appears to primarily impact automated data processes for the purpose of making a decision about the data subject.
It remains to be seen how European authorities will enforce these provisions of the GDPR. Companies obligated to comply will be watching and waiting for guidance from the European Data Protection Board. The Board will likely determine what specific types of automated data processing activities fall within the definition of profiling and issue guidance on the restrictions under the law. Meanwhile, U.S. companies that collect information about users who may not be impacted by GDPR are likely watching the current activity in Washington closely for any indication of similar domestic regulatory action.
The prepared statement by witness Laura Moy of the Georgetown Law Center on Privacy and Technology for the November 29th hearing reflects concepts firmly established in the text of GDPR. She noted in her statement to members of the two subcommittees conducting hearings that “information about consumers is not collected in a vacuum” and that it is used to “power automated decision-making.” Ms. Moy also stated that “many things that once were decided by humans are now often decided—or at least influenced—by predictive formulas designed by data scientists, and those formulas may be responsible for decisions that have important effects on consumers’ lives.”
It’s unlikely that we will see any legislative action in the U.S. prior to the GDPR compliance deadline. In advance, domestic companies can take action to both prepare for GDPR and potential similar regulation should it gain steam in Washington. First, conduct a risk assessment and data mapping exercise to determine whether personal information is used in any types of automated processing or other machine learning applications. One important question to ask is whether you need to collect the data at all. Next, take steps to implement data protection by design, or the practice of implementing privacy as a feature of the development of a product, rather than trying to address it post-release. As noted by Ms. Moy, “Americans are asking for more protections for their private information, not less.”
Lisa Hawke is the Director of Security and Compliance at Everlaw.