Towards a Magna Carta for Data

Transcription

1 Towards a Magna Carta for Data Insight Centre for Data Analytics White Paper A discussion document to inform EU policy and regulation on data privacy, ownership, research and innovation 4/2/2015

2 Insight Research Centre White Paper: Building a Foundation of Trust in Big Data A Magna Carta for Data, brought to Europe by Insight, a global centre for data analytics Executive Summary This White Paper discussion document has been created by Insight, a global centre for data analytics. With over 350 researchers, Insight is Science Foundation Ireland s largest ever research investment and one of the biggest data analytics institutes in the world. Big Data is a new frontier with significant implications for citizens, governments and business. There is growing public unease about the pace of growth in Big Data and lack of transparency about its use. Data use by public and private entities raises important questions about ownership, privacy, individual rights and societal progress. We cannot allow technology to outrun policy and legislation. We need to define the rights of all stakeholders and anticipate the issues that are likely to arise. The creation of Insight puts Ireland at the forefront of data analytics research. Ireland takes its responsibility in the area seriously and, with this White Paper, seeks to lead the discussion on data ethics and to put Europe on the road to fair and relevant legislation to establish and protect the rights of everyone involved. We can balance the needs and rights of data providers and owners. Rights-based legislation must be supported and implemented by a technical infrastructure. The Magna Carta for Data secures our future. It provides a basis to provide assurance to European citizens that their trust in Big Data is not misplaced. The era of Big Data is upon us. Europe must develop a Magna Carta for Data. Contact: Barry O Sullivan barry.osullivan@insight-centre.org For more information:

3 The Magna Carta for Data: A Bill of Rights for Europe s Citizen Big Data promises incredible societal benefits: a better life for citizens, more and cheaper food production, better transport, education, health and better resource utilisation. But citizens and businesses are concerned: data companies are collecting data that directly influences them, their families and their livelihoods. These concerns are not only about privacy, but go much deeper. Corporate owners of data can develop lock-in mechanisms to control entire sections of society, leading to unrest and rejection of the benefits of data analytics by the data providers. Data owners may evolve into monopolies and oligopolies and citizens and other business fear that they might be locked in and controlled. This may inhibit innovation instead of promoting it. Fear would lead user to reject the benefits of data analytics. Tim Berners-Lee, the creator of the world wide web, has suggested the development of a Magna Carta, a bill of rights for European citizens, for the web and data on the Web. We suggest broadening the Magna Carta for data beyond the web, as there are many forms of data that are not web accessible but have societal and personal relevance. Today there is a fundamental tension that exists between data, its uses, and its users. Users have legitimate concerns that data, collected by third parties, which relates to their actions, beliefs, preferences, or intentions may be used without their (informed) consent, and in ways that may have a detrimental impact on their interests, business or reputation, whether intentionally or not because third parties can dispose of their data as well. The current data protection framework is no longer fit for purpose. In January 2012, the European Commission proposed a new framework that aims to address current and future developments in personal data protection. Within this, the case of personal data that is processed, analysed and combined with the data of others (and with data from other sources) for health and wellness benefits is particularly interesting. This activity has enormous potential benefits: Research into medicine and health has rapidly become a Big Data application with population data now used to inform diagnosis and treatment. Yet the current EU legislative framework for ethical leveraging of such Big Data applications is inadequate. The almost exclusive focus on the privacy of the individual, while politically popular, is potentially damaging to progress. In 2013 Science Europe, a non-profit organisation representing more than 50 major research funding and research performing organisations throughout Europe, published an opinion paper on The Benefits of Personal Data Processing for Medical Sciences in the Context of Protection of Patient Privacy and Safety. 1 This paper warned of the devastating implications of amendments, if passed, to the European Commission s proposal for a General Data Protection Regulation. The Commission s proposals contain a number of provisions and exemptions crucial to facilitating vital medical and health research within a framework of protection of individual rights to privacy. So while the legislators wrestle with issues of how to develop a framework for legislating for the use of Big Data in personal applications, technology and society continue to develop and certain basic ethical questions have still to be tackled. The Magna Carta for Data will ensure the protection of a user s data while at the same time facilitating the exchange of this data, upon the user s consent, for either beneficial research purposes, or for business purposes, e.g. targeted personalised advertising. The Magna Carta for Data can balance the needs and rights of data providers, owners, and those implicated by the use of the data. Because it needs to be 1

4 realised in a technical environment it needs to be supported and implemented by a technical infrastructure. The Magna Carta is not just for individual users it must safeguard society by enabling access to data when necessary for societal benefit. It s a crucial document for the development of Big Data as a Magna Carta would address public concern and create a fair platform that everyone can rely on and a solid foundation for all of the European Union to thrive on. Questions for the data-driven society The field of Big Data ethics is entirely new, newer even than the cutting-edge capabilities it seeks to regulate. Technology has moved at such a pace that questions are now arising that would not have occurred to us a decade ago. The very notion of ownership is in question. The Magna Carta will seek to ensure that the rights of the individual are protected, while allowing information to be used for the good of societies and economies. Questions that need to be examined include the following: 1) What is the objective and the good that can be achieved by Big Data technologies? What are the main goals of Big Data and why are they valuable? Are there any other valuable goals that can be promoted by Big Data that are currently ignored? Do we need to reconsider/ redefine the goals that are promoted by Big Data? We need a clearer idea about the overall purpose of Big Data technologies so we can design them more appropriately to suit their purpose. We need to define policies that support the main goals of Big Data. 2) What does it mean to own certain data? Ownership is often seen in the context of a set of entitlements, e.g. to use, store, publicise, sell, transport, or destroy something. Which entitlements are involved in ownership of data? How can these entitlements be justified? Who should own data? What does co-ownership of data mean? Are current interpretations and arrangements of ownership adequate to deal with Big Data? If, as suggested by some, users were to own their information, would this hinder innovation? The economic model of Internet giants is predicated on accessing vast amounts of data in return for services if users own this data, the Internet companies will no longer have direct access to it. 3) What exactly are the downsides of Big Data in terms of the potential of privacy infringements? What kinds of privacy infractions have occurred as yet? What kinds of violations are to be expected in the future? Why are these infringements to be avoided? Are they to be avoided at all costs or do they have to be balanced as necessary negatives against certain valuable goals that can only be achieved with Big Data technologies? If the latter is the case, how do we optimise the balancing of privacy infringements against benefits of Big Data? What sort of privacy can individuals expect to maintain in an era of Big Data? Will there be any information they can reasonably expect not to be monitored?

5 4) Can Big Data technologies negatively affect people s autonomy? How does Big Data affect the balance of power between people, corporations, and authorities? An example of indirect harm to autonomy is self-censoring behaviour by those who think they are being monitored. Direct harm to autonomy might occur when an autocratic (or democratic) government uses Big Data technologies to effectively root out any resistance. Are there other examples? How realistic are these examples? How can these scenarios be avoided? 5) How could Big Data technologies facilitate discrimination and marginalisation? Could the use of Big Data trigger undesirable kinds of profiling in the name of national security? Could their employment cause certain people to experience difficulties getting particular forms of insurance? How can equity and fairness be guaranteed in the application of Big Data technologies? What other harms to the interests of people can be expected from Big Data? 6) How can the trustworthiness of ICT in general and the Internet more specifically be assured? A breakdown of trust triggered by immoral instances of Big Data use might have hugely undesirable societal follow-up effects. How can Big Data technologies be operated in a trustworthy manner? 7) How do we ensure that contracts between individuals and powerful Big Data companies or governments are fair? Can we assume that the individual, who may not be very well informed about Big Data or privacy, is autonomous when signing the contract? (Particularly when all that is required for agreement is the click of a mouse.) 8) Where does responsibility for the security of data lie? Does it lie with individuals or with companies or governments? This will have implications for cost. Feeling safe in a data-driven society Big Data has an image problem. It s a fact that today only 12% of European web users feel that they are entirely secure while making online transactions. In order to ensure the sustainable and reliable functioning of our data-driven society, it is essential to build trust. Article 16 of the Treaty on the Functioning of the EU stipulates that everyone has the right to the protection of personal data concerning them, however the complexity of the issue when it comes to private data and its protection needs a more elaborate policy and legal framework than we currently have. Moreover, citizens require practical tools and services that will provide them with secure access based on trust and control of their own personal data. The analysis of personal data brings with it not only risks but also many opportunities in various fields from health to urban efficiency. Big Data analysis based on the distributions of DNA markers can better identify and predict disease patterns, for example. Third party companies including Microsoft (HealthVault), Google

6 (Google Fit), Apple (Health Kit) and Samsung (SAMI) are able to compose a holistic overview of a person s state of health and wellness by using data analytics to process personal data uploaded by the individual. There is huge potential to use data to improve the lives of people in cities. Take the solutions for Smart Cities, for example, involving citizen sensing and collecting data from smart grids, leap cards and more. Research such as this aims to improve the quality of life in cities as well as the use of resources. It can lead to improved safety and transportation, with a clear economic impact on the city ecosystem. Despite such advantages, the European Parliament s concern for data privacy is ever stronger. In its amendments to Articles 81 and 83 of the Commission s General Data Protection Regulation, the Parliament restricted the use of personal data for research on health. One of the amendments reads: when [this research] can be achieved without the use of personal data, such data shall not be used for those purposes, unless based on the consent of the data subject or Member State law. 2. Keeping up with technology: the need for fundamental regulation 2.1 Privacy versus Progress: Towards an Evolving Notion of Privacy The current EU legislation regarding data protection is Directive 95/46/EC. It has two main objectives: to ensure fundamental rights in the area of data protection; and to guarantee the free flow of personal data between Member States. This directive allows for personal data to be deleted if it is incomplete and incorrect, however it does not go beyond that. According to EU legislation, when the EU comes up with a directive it is binding upon all Member States only as to the end to be achieved, leaving the Member States to decide themselves on their own methods of implementation. For this reason the 95/46/EC directive was implemented differently in all the Member States. As a result, it was not until 2010 that a Spanish citizen filed a complaint to Google Spain for keeping outdated data of his bankruptcy. This was one of the cases that forced the Commission two years later (2012) to come up with a directly binding General Data Protection Regulation including the so-called right to be forgotten clause. The Regulation was part of the EU s Stockholm Programme Action Plan whose objective was to set the EU s priorities for the area of justice, freedom and security for the years The plan was to make legislation more effective by harmonising it across the EU Member States, thus enhancing the protection of individual s data according to the Internal Market principle. The European Parliament not only endorsed the Regulation but also amended it by obliging companies to erase the data upon request. This amendment was upheld by the European Court of Justice as recently as May 2014, which forced Google to accept requests for data erasures. 2.2 Fear of Oligopolies The information that results from the analysis of Big Data can bestow huge advantages on those who use it. However, there are drawbacks. If people don t trust the companies that hold their information, they may withdraw regardless of the benefits. Take Monsanto as an example. In 2013, Monsanto, a US-based agriculture biotechnology company, known for producing pesticides and genetically modified crops, bought Climate Corporation, a San Francisco start up founded to supply farmers with better weather and agricultural predictions for US$1 Billion. Climate Corporation has built a predictive platform combining local weather information and yield data on the field level. This enables Monsanto, together with previous acquisitions to engage in prescriptive farming, telling farmers what and how to

7 plant in a field, and boosting output by roughly 5% over two years, a feat no other single intervention could match. [1]. The Economist in [1] reported that [Farmers] fear that the stream of detailed data they are providing on their harvests might be misused. Their commercial secrets could be sold, or leaked to rival farmers; the prescriptive-planting firms might even use the data to buy underperforming farms and run them in competition with the farmers; or the companies could use the highly sensitive data on harvests to trade on the commodity markets, to the detriment of farmers who sell into those markets. [.]Another worry is that, since the companies have not yet made the data fully portable, farmers may become locked into doing business with a single provider. The Economist also reports that in response to such worries, the American Farm Bureau, the country s largest organisation of farmers and ranchers, is drawing up a code of conduct, saying that farmers own and control their data; that companies may not use the information except for the purpose for which it was given; and that they must not sell or give it to third parties. If enough farmers sign up and deliver their data to Monsanto s prescriptive farming, it creates a lock-in situation: more and more farmers will have to participate since competing farmers will increase their yield, putting a non-participating farmer into competitive disadvantage. New data analytics companies will also find it very difficult to compete with Monsanto their access to farming data will create a competitive advantage for Monsanto and create a high entrance barrier. By locking in its users, companies like Monsanto have the opportunity to lock in an entire sector of our economy, creating unrest among its users and possibly rejection of the benefits of Big Data and data analytics. Similar issues exist throughout our economy. Companies like Google, Facebook, Amazon and Netflix are collecting consumer data, but as the importance of data and data analytics is increasing it becomes increasingly obvious that more is at stake. What is being done? 2.3 Positioning of the White Paper and the Need for Activities This Strategic Research and Innovation Agenda (SRIA) defines the overall goals, main technical and nontechnical priorities and a research and innovation roadmap for the European contractual Public Private Partnership (cppp) on Big Data Value. The SRIA has several core activities in data privacy: In the technical priority area Privacy and Anonymisation Mechanisms the SRI suggests the development of a complete technical data protection mechanism. In the non-technical priority area Social perceptions and societal implications the SRIA aims to address privacy-by-design principles and create a common understanding amongst the technical community, as well as to identify key privacy concerns and develop answers based on new solutions. In the non-technical priority area Policy, Regulation and Standardisation the SRIA suggests the setting up of dedicated projects to address the circumstance of new data, with the intention, among others, of establishing an inventory of roadblocks inhibiting a flourishing data driven economy, and to make and collect observations about the discovery of new legal and regulatory

8 challenges along with the implementation of state-of-the-art technology and the introduction of new technology. This white paper complements the SRIA. The substantial risks to the economic well-being of Europe from rapidly emerging data oligopolies and monopolies need to be tackled and mitigated. Roadmaps for a Magna Carta for Data in the EU The Magna Carta for Data is a techno- legal- socio-framework that works with and for society, industry and research to bring balance and create trust. There is a variety of ways in which we can begin to implement the Magna Carta. For example, the following sections analyses how to inform the Big Data PPPe. 4.1 Policy and Regulation We focus on ethical issues that need further analysis in order to inform, refine and substantiate any future Big Data policy. In this section we first describe the current data protection framework as well as the proposed changes. In addition, we focus on ethical issues that need further analysis in order to inform, refine and substantiate any future Big Data policy. 4.2 Science & Horizon Scanning The promise of Big Data analytics is driven by fundamental advances across a variety of disciplines and sectors. These advances have led to entirely new approaches when it comes to capturing data, processing the data, transforming the patterns that are found into compelling uses for individuals, communities, businesses and society as a whole. The Big Data Analytics Lifecycle: Capture Process - Use Capture. To date we have only scratched the surface of what might be possible to "sense" in the future. The current trend in wearable technology opens up the possibility of a much more comprehensive approach to personal sensing in the future, for example, beyond tracking coarse-grained activities (such as walking, running, sleeping) to capturing real-time data about intimate physiological signals. Such capabilities will be possible because of new approaches to biological sensing from the material science that is enabling new kinds of always-on LOAC-based wearable sensors and driving the capture of real-time data from our blood, sweat, and tears to a new generation of ingestible sensors that are capable of recording the details of our a variety of biological processes. As an example, personal data alone is set to explode over the coming decade as more people explore the benefits of personal sensing and the health and lifestyle benefits that it promises. Capturing this data is just be beginning of the Big Data analytics lifecycle. These new sources of data will be described, stored, and formatted in a way that facilitates understanding and usage/prediction. Technologies like Semantic web and linked data technologies create a real-time web of personal data - a world of structured personal data - that can be understood, searched, and otherwise processed.

9 Process. Unlocking the value of the data is about leveraging the second-order effects of this data, understanding the patterns hidden within, not just at an individual level, but also aggregated across groups, communities and populations of people, to exploit known-patterns and regularities within aggregated data streams. A good example is the use of mobile phone location information to infer traffic congestion in social mapping applications. But equally it is the third-order effects of data process where a new opportunity exists: the recognition and understanding of previously undetected patterns within the data, from simple periodicities to more complex patterns. It is this vision that is, in part, driving Google X's new Baseline Study to identify a genetic baseline for a healthy human among aggregated genetic data. Underlying all of this is an assumed willingness of individuals and communities to participate in a level of data exchange and sharing that will facilitate these types of applications. This cuts to the very core of the ethics and regulation of Big Data analytics and will necessarily require advances in areas such as anonymisation, encryption, and security, leading to a "privacy-by-design" approach. The engine that enables this includes recent advances in statistical analysis techniques and machine learning from Bayesian methods to Deep Learning. In particular it is necessary to understand the relationships that new machine learning techniques identify, and in doing so explaining the implications and impact of such patterns. Indeed the next major challenge for machine learning techniques is to deploy them as part of an integrated analytics platform, to exploit structured knowledge from the real-world in real-time. This will introduce a new level of automation during data capture thereby closing the loop of the data analytics pipeline. Use. Deploying Big Data insights in the real world starts with getting the right information to the right "user" at the right time. But more that this it is about driving the type of behavioural change that can disrupt traditional industries, from health and nutrition, to transport and energy. Understanding the possible disruptions and preventing societal lock-in mechanisms is key to ensuring the benefits for the EU Infrastructure Technical/Engineering Challenges/Opportunities A challenge in dealing with personal/private data in a Big Data analytics setting is assuring that policies, queries, access, etc. are governed in a transparent manner and that control lies in the hands of the data owner, subject to due regard for the public interest. While this is governed by policies, standards and systems that create the necessary infrastructure, there is also a requirement for a co-evolutionary relationship with regulations. Another challenge is to create the infrastructure and standards of using and reusing of public information - Open Data. Thanks to international agreements and European regulations more public data is becoming available, but cross-country regulation of private data sharing (eg. for citizens moving across countries) is still a grey area. Data (both public and private) is becoming easier to access and integrate. Data owners have control over a portion of their data corresponding to their personal data, and can grant access to other individuals or organisations to use data in pre-specified and well understood ways. Our vision implies a highly distributed physical infrastructure as a direct reflection of the Magna Carta. This has significant implications for how systems and tools are built for enabling Big Data analytics.

10 Therefore, a variety of infrastructure elements is required for realising the benefits of data analytics while still being policy-compliant: some at the level of data management protocols, to algorithm for data processing and aggregation, to data exploitation and usage. These infrastructure elements can be broadly characterised in standards and systems. Systems implementation validates the developed standards. Standards need to be developed that express how data can be shared, used and reused and that reflect the Magna Carta. Machines and data analytics infrastructure need to understand these standards and adhere to them, while the standards also support the implementation of the policies and support the verification of policy compliance. Examples of standards to be developed include: Characteristics Enabling Technologies Identification/identity management User access to knowledge about what is done/can be done with their data (eg. profiling and awareness related to the verification of policy compliance) Anonymisation/summarisation Applications and impact By clarifying the fundamental rights regarding data in Europe the Magna Carta will improve European industrial competitiveness in markets by facilitating economic conditions for wide take-up of results; offering clear business opportunities and consumer choice in usable innovative technologies and increased awareness of the potential and relevance of trustworthy ICT. It will lead to adequate support to users to make informed decisions on the trustworthiness of the system. It will increase trust and confidence of EU citizens in businesses, and increase usability and societal acceptance through understanding of legal and societal consequences. It will create demonstrable improvements in the following areas: 1. Trustworthiness of increasingly large-scale heterogeneous data and systems 2. Protection against and handling of network threats and attacks and the reduction of security incidents Europe needs a Magna Carta for Data.

11 5. Sources 1. A. Travis, & C. Arthur, "Individuals have right to control their data and can ask search engines to remove results, says European court", May 13, B. Marr, "Do We Need A New Magna Carta For Big Data?", Linkedin, April 2, B. Marr, "The Awesome Ways Big Data Is Used Today To Change Our World", Linkedin, November 13, 2013, 4. Berners-Lee seeks web Magna Carta ", March 12, Case C-131/12 Google Spain SL, Google Inc. v Agencia Española de Protección de Datos, Mario Costeja González, Council of the European Union, Council Conclusion EUCO 169/13 of 25 October 2013" 7. D. Barton, "Reversing Gears: Project Syndicate s Year in Review 2013", Project Syndicate, December 19, The Economist: Digital disruption on the farm. May 24th, European Commission, Commission Staff Working Paper, Impact Assessment, SEC(2012) 72 final, Brussels, 25 January European Commission, Digital Agenda for Europe, Towards a thriving data-driven economy, July 2014, European Commission, Digital Agenda for Europe, TPillar III: Trust & Security, 2014, European Commission, Directorate-General for Justice, Commission proposes a comprehensive reform of the data protection rules, 01 January 2014,

12 13. European Commission, Directorate-General for Justice, European Commission's comprehensive approach, 15 January 2011, European Commission, Directorate-General for Justice, European Commission's comprehensive approach, 25 January 2012, European Commission, Directorate-General Press and Communication, Progress on EU data protection reform now irreversible following European Parliament vote, 12 March 2014, European Commission, Directorate-General Press and Communication,Commission urges governments to embrace potential of Big Data, 02 July 2014, European Commission, Directorate-General Press and Communication,Today's Justice Council A Council of Progress, 06 June 2014, European Commission, Directorate-General Press and Communication, Factsheet on the Right to be Forgotten ruling (C-131/12), 2014, df. 19. European Union, Summaries of EU Legislation, The Stockholm Programme, an_union/jl0034_en.htm. 20. European Commission, Proposal for a DIRECTIVE OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on the protection of individuals with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and the free movement of such data /* COM/2012/010 final /0010 (COD) l, Brussels, European Commission, REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), COM(2012) 11 final, Brussels, 25 January, 2012.

13 22. Guide to Doing Business with EU - Germany, UK, France & Italy", KHTDC, June 2008, Hunton & Williams LLP, "European Parliament Adopts Draft General Data Protection Regulation", Hunton & Williams LLP, March 12, 2014, -general-data-protection-regulation-calls-suspension-safe-harbor/. 24. J. Fioretti, "Google removes first search results after EU ruling", June 26, 2014, J. Kiss, "An online Magna Carta: Berners-Lee calls for bill of rights for web", March 12, s-lee-web. 26. Legislative Scrutiny", Hunton & Williams, 2014, M. C. W. Murphy, "Profits up sixfold as Netflix looks to build on its House of Cards ", Medill Reports, January 23, 2014, O. Bowcott, "Britain seeks opt-out of new European social media privacy laws", The Guardian, April 4, 2013, ten-law. 29. Parliament of the European Union, Jan Philipp Albrecht (rapporteur), On the proposal for a regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (COM(2012)0011 C7-0025/ /0011(COD)), 22 November 2013, AMENDMENTS Urban Efficiency as the Cornerstone of Attractive Cities", Schneider Electric, vol. 2, 2011, n-efficiency-as-the-cornerstone-of-attractive-cities.pdf?tsk=43217p&pc=36664t&keycode= 43217P&promocode=36664T&promo_key=36664T