7th Summer Academy for Global Privacy Law 2022

From the 27th to the 1st of July 2022 the “7th Summer Academy for Global Privacy Law 2022: Engineering data regulation(s) in an age of reform” took place at the Vrije Universiteit Brussels – VUB, one of the LeADS beneficiaries. In a hybrid format, the Summer Academy focused on the EU data governance reform, emphasizing coherence, comprehensiveness, and effectiveness. ESRs Onntje Hinrichs and Barbara Lazarotto were on the organization team along with Lina Jasmontaite, Muhammed Dermican, and Michael Van den Poel.

The program dedicated each day to a regulatory instrument, placing each regulatory text within its proper background and ecosystem, before analyzing its regulatory approach and (still draft) provisions. There was particular attention to the regulation’s relationship with specific aspects of the EU data protection law, particularly with the GDPR.

In the morning, participants attended lectures by selected speakers including internationally recognized academics, policymakers, data protection authorities, and civil society representatives. In the afternoon, they engaged in role-playing sessions focused on real-life possible applications of regulations.

Barbara Lazarotto and Muhammed Dermican (Brussels Privacy Hub Managing Director and Ph.D. candidate) were the Lecturers of the Role-Playing Session named “Selling Books on Amazon: Why would you even need the DMA?”, which explored the relationship between the Digital Markets Act with the GDPR. The participants were divided into different groups that represented different roles such as Amazon Legal Team, NOYB, EDPS, DG Competition, and Publisher’s Law Firm, and had as objective to defend their interests facing an online market sale scenario. In the end, all participants discussed their points of view about the case, the DMA, and its connections with Competition Law and Data Privacy Law.

The Summer Academy ended by strengthening the understanding of the participants regarding the EU data governance reform and further questions that might appear in the future.

LeADS Training – Poster Session and the Transition from Theory to Practice

From the 19th to 25th of June 2022 the 15 ESRs met again for their fourth training module. This time they had the chance to meet on the beautiful island of Crete, Greece. The LeADS training program is structured around several training modules that together aim at training a new generation of researchers as legally attentive data scientists that become experts in both law and data science capable of working within and across the two disciplines. Whereas the third training module in Pisa focussed on the legal perspective, this training module focussed more on the computer scientist perspective.

 

LeADS at AIAI: Panel discussion and Poster Session

The training week kicked off with a workshop on “Best Practices for the development of intelligent and trustworthy algorithms and systems” at the 18th International Conference on Artificial Intelligence Applications and Innovations (AIAI). The workshop was divided into two separate panel discussions. The first panel, moderated by Imge Ozcan from VUB, the speakers Katerina Demetzou (Future of Privacy Forum), Paul De Hert (VUB), and Afonso Ferreira (CNRS, Institut de Recherche en Informatique de Toulouse) discussed topics surrounding “Data Ownership, Privacy and Empowerment”. During their contributions the speakers addressed questions such as whether or not a potential data ownership right could integrate into existing data protection law. The second panel, moderated by Giovanni Comandé from SSSA, was entitled “Trustworthy Data Processing Design”. The speakers Jessica Eynard (Toulouse Capitole University), Gabriele Lenzini (University of Luxemburg), and Salvatore Rinzivillo (Italian National Research Council) debated what kind of legal, ethical, and technological framework is needed in order to ensure a trustworthy data economy that increasingly is in demand for secondary data uses.

Furthermore, prior to the conference all ESRs prepared posters to visualize the most important results of their research. All posters were exhibited and accessible to visitors from the AIAI conference which allowed the ESRs to engage and discuss their research with the international audience from the conference.

Training Week: From Theory to Practice

Followed by this engaging introductory sessions, the ESRs presented the results from their individual research they had been conducting throughout the first months from the LeADS project. All 15 ESRs are divided into 4 Crossroads, i. e. major challenges that still need to be addressed in data-driven societies: (1) Privacy vs Intellectual Property (2) Trust in Data Processing & Algorithm Design (3) Data Ownership (4) Empowering Individuals. Each ESR has furthermore been assigned an individual research topic. During the first months of their research journey, the ESRs wrote a State-of-the-Art analysis of their topic which constitutes the scientific foundation for the upcoming research and cross-collaboration between the researchers. During 4 sessions each ESR from each crossroad had 20 minutes to present and discuss their results.

Michael Filippakis from University of Piraeus subsequently discussed how data science impacts society and can support policy-making processes and benefit innovation. In a hands-on session he introduced the ESRs to time series analysis with R programming language. Ilias Maglogiannis from University of Piraeus in his lecture on pervasive health management technology and data analytics gave several practical examples how technology is used to analyze health activities, for instance, in the case of smart clothing to monitor athletic activities. Giovanni Comandé from SSSA talked about (challenges to) secondary uses of data and elucidated on relevant GDPR provisions. Salvatore Rinzivillo in his engaging lecture discussed with the ESRs how to design explainable AI, i. e. how to incorporate intelligibility (how does it work?) and accountability (who is responsible for?) in AI systems.

The last 3 days from the training where dedicated to two practical sessions. First, Mohamed Ali Kandi from UT3 introduced the ESRs to the creation and deployment of smart contracts with solidity. Followed by this introduction the ESRs were divided in groups consisting of both lawyers and computer scientists – reflecting the interdisciplinary approach which the LeADS project epitomizes. These interdisciplinary groups then had to write and deploy a smart contract which allowed a controller to assign and remove the right to data subjects to rectify their data. Second, Itzel Vazquez Sandoval from University of Luxembourg introduced the ESRs to the design and analysis from security protocols. During the subsequent practical session, the ESRs were introduced to the tool ProVerif and had to analyse a bank statement request protocol. In groups the ESRs had to identify potential weaknesses for attacks that could lead to security breaches in the design from the protocol.

Both exercises strengthened the understanding from the ESRs how solutions to GDPR requirements can be designed, implemented, and analysed and thereby putting a dialogue between computer scientists and lawyers into practice.

Data Protection Law Scholars Network study about The Right to Lodge a Complaint

The first study of the European Data Protection Scholars Network (DPSN) commissioned by Access Now is now published. This study aims to map current DPA practices related to the right to lodge a complaint (Article 77 of the GDPR) across different EU countries, combining legal analysis and the observation of DPA websites, together with insights from the online public register of decisions adopted under the ʻone-stop-shopʼ mechanism. In general, the research shows discrepancies that concern fundamental aspects of the submission and handling of complaints, with potentially serious implications on the level of data protection in the EU.

Amongst the authors are Gloria González Fuster one of LeADS co-supervisors and Barbara da Rosa Lazarotto (ESR 7).

Click to here read the full study.

 

 

 

Unchaining data portability

The role of data portability in the EU Digital Strategy

The concept of data portability relates to the characteristic of a set of data to be moved to, from and among applications, operating systems, or devices, with minimal friction.

The European legislator individuated  data portability as fundamental means to develop digital policies that benefit both citizens, giving them higher levels of control over their data, and the market, revamping competition thanks to clearer rules and easier mechanisms for data sharing, access and re-use.

In practice, the possibility for end-users and businesses to move to and from digital service providers seamlessly, without losing content or disrupt their services is, at least in theory, the perfect arena to fuel competition and better services.

Yet the realization of such seemingly simple capability of data is hindered by an unparalleled amount of legal, economical, and technological complications. Data portability is in fact hard to regulate. Its complexity is due to its inbred, bi-parted soul: one half being its economic-driven capacity of impacting market competition, the other being its human-rights-driven capacity of enabling people’s informational self-determination. Additionally, the two souls of data portability are inseparable, meaning that it is impossible to regulate only for data protection leaving competition untouched. The “inseparability of souls“ is a characteristic that in itself impacts the regulation of a right to data portability, because of its cascade implications on multiple domains, ranging from technological interoperability and industrial standardization to human and economic rights, to market competition and consumer’s rights, to policy in data sharing and governance.

Historically, the concept of portability stemmed from “number portability” enshrined in art 30 of the Universal Services Directive. Yet ever since, in the legislative action of the EU legislator, the concept of portability has assumed different objects, affected different subjects, required for new technologies, as well as the development of theoretical frameworks for data sharing and governance to keep pace with the evolution of the European digital market.

Objects of portability legislation have so become personal data (GDPR, proposals for the Digital Governance Act (‘DGA’), Digital Markets Act (‘DMA’) and Data Act –even special categories thereof (such as health data in the proposed European Health Data Space Regulation (‘EHDS’)), non-personal data (Free Flow of non-personal data Regulation ‘FFNPD’, Open Data Directive, and again DSA and DMA), but also the services and online content of European users (Content Portability Regulation and Digital Content Directive (‘DCD’)). Self-evidently, such heterogeneous legislative framework, among Directives and Regulations, realizing diverse political strategies and each with their specific objectives, through horizontal and vertical regulation, over the span of 20 years –and importantly: the last twenty years—in the context of the ever changing economics, technologies and societal structures of the digital ecosystem, have created a legislative omnishambles.

Such legislative omnishambles is extremely hard to navigate –even for legal experts—but  does have legal effects and does create rights and obligations for end-users as well as businesses.

Even within GDPR, the text of art. 20 allows for multiple interpretations of rights and obligations. For instance, it is unclear for users and providers what personal data shall be portable, considering “data provided by the data subject” can be that personally generated, or also that observed by the provider, or even inferred. Also unclear is, which types of formats that are structured, machine-readable, and commonly-used are also functional to ensure interoperability, and what is the legal relationship between interoperability and portability. Another fundamental, unanswered question is about where to trace the line of a “portable minimum” for each service so that the ported data are still meaningful to the data subject. There is in fact difference in being able to port single photos v. albums, or entries of a list of contacts v. a social graph of relationships. In these cases, keeping the structures and the collections of the single data entries can sometimes be as vital to the service as their entries themselves. It is in such cases that the law does not clarify what’s the minimum “data unit”.

Snowballing, the portability of single data or collections thereof might create issues with the “rights of others”, such as privacy or intellectual property. As for privacy, data portability requests may encompass personal data of others, e.g. in the case of contact lists, conversations with, or pictures of others, where it will be hard to balance the interests at stake or even find legitimate grounds for processing. Moreover, when the personal data of others is finally in the control of the requesting data subject, they fall under the data subject’s household exemption. Because of this exemption, they get no longer protected under the GDPR, which is a problem in terms of security –and a big one, should the downloaded datasets contain hundreds of contacts of vulnerable subjects or hazardous content, or be sent via insecure means. As for intellectual property, there will be cases where pictures were adjusted with proprietary filters, or collections created by the service provider on the basis of the generated or observed subject’s personal data, or content generated by a “prosumer”. These cases raise questions of legitimacy of the portability requests and need legal and technical answers.

Nowadays, the reality of fact is that, on one side, the majority of people do not know about the existence of their right to data portability, or would anyways not know how to enjoy it. On another side, there are no clear rules for service providers on how to address such requests without infringing somewhere down the line some stakeholders’ legitimate interests, nor how to create portability services that comply with all the potentially applicable rules. And finally, the European and national courts as well as Regulatory Authorities have not yet clarified questions on portability –only the case UK drivers v. Ola decided on a data portability requests, but without solving any of the above; same holds for the guidelines adopted by the WP29/EDPB.

“Politics” of data portability

Data portability is not a necessary function in most information systems. It is instead a function that the architects of an information exchange system may want to, or are obliged to embed —by a regulatory constraint in the case of Art. 20 GDPR. This means that, decisions on the existence and extent of data portability functions are the result of a normative decision of either the developers or, in our case, the legislator. Such decisions relate to how should (what?) data (personal, non-personal, content, etc…) be governed, who should decide what to do with it, and who should be responsible for making that possible. With the capability of enabling or hindering such decisions, data portability is a crucial means within the realm of “politics of data”.

The political goal of the EU legislator is to unchain the power of European data first by destabilising the de facto ownership over data by the –mostly American—information industry, and then using data the “European way”, that is fairly, securely, to the benefit of its people and businesses, and in respect of fundamental rights. To operationalize such “data sovereignty” strategy, the results of a heated political and academic conversation about governance models have rewarded forms of data openness, access, sharing and re-use, which are allegedly better at reaching goals of information privacy, innovation and competition, as opposed to data property, ownership, and other exclusivity models.

Technologies for data portability

From a technological perspective, to realize portability is quite impractical. Data migration and re-adaptation does not happen smoothly and the lack of mandated top-down coordination from the EU is not helping the standardisation process. As for data formats, practical research on portability requests showed that respondents favour some types of data formats depending on their field of service, of which only a few are GDPR compliant according to the interpretation of the U.K. ICO. As for information systems enabling portability, the EU is moving on multiple fronts. First is the upcoming roll-out of the vertical European Data Spaces, with the Health one already at proposal stage. Additionally, the development of personal information management systems (‘PIMS’) is underway, which will allow users to be “holders” of personal information to manage in secure, local or online storage systems, and to share them at will. Reading from the EDPS’ TechDispatch 3/2020,

“PIMS can usually offer personal data and other metadata describing their properties in machine readable formats, as well as programming interfaces (APIs) for data access and processing. This last feature implies the use of standard policies and system protocols. This is an essential element, the lack thereof currently also represents a limit for PIMS adoption.”

Private projects such as Nextcloud, Solid, and MyData have made promising steps toward portability-enabling systems, but have not reached a level of technology readiness to allow for market acceptance and critical adoption. Unsurprisingly, there are open-source, industry-led initiatives, championed by the Data Transfer Project of Google, Meta, Twitter and Apple, which aim to ensure the entering the market of products and services to address the consumers’ requests of downloadable user data in structured, commonly used formats (Google Takeout, etc.), as well as of direct, seamless data portability from one service to another. These projects, however, may encounter legal obstacles in European competition law ex art. 102 TFUE, but also political ones: the consideration of the EC policy agenda regarding data governance altogether excludes that American big-tech players will unilaterally establish the de facto standard data formats and systems for data portability.

 

Conclusions

Under normal circumstances, and considering the results of the EC’s impact assessments, the interplay of the mentioned regulatory efforts should shape a digital market that benefits everyone. The EU has seemingly found a silver bullet that makes market players and consumers happy, both economically and in the respect of the fundamental rights to privacy, intellectual property, and fairness in the distribution of data value.

In reality, nobody seems interested in using such silver bullet. Why is that?

After months of research, my educated guess is that the reasons are to be found in a mixture of the following:

  • From a market perspective, portability has potentially disruptive, market-wide economic effects mostly stacked against big market players. The EU has been extremely careful in (not) imposing rules and technologies for full harmonization, with a hope that multi-stakeholderism could find its ways. Citing Alek Tarkowski from the Open Future Foundation “no one tried hard to make it work, while others tried very hard not to make it work”.
  • From a law and economics perspective, although it is said that portability will benefit users and businesses, there have not been exhaustive and conclusive economic analyses providing evidence of benefits for big tech companies, nor for Small and Medium Enterprises.
  • From a regulatory perspective, the careful, delicate approach of participatory regulation and technological neutrality has been excessively open, creating uncertainties that have benefited the maintenance of the status quo –meaning, the monopolistic control over data of big tech players.
  • From a technological perspective, there remains the need to develop information systems enabling data portability. The problem is that, in privacy engineering, such development starts with the identification of the requirements, both legal and technical, and in such a moment of regulatory turmoil these are hard to identify, let alone systematize, operate, and put into the market.