Legal Implications of data-driven decision making

Danube University Krems. University for Continuing Education.
June 2019 | Page 1
www.donau-uni.ac.at
Danube University Krems.
University for Continuing Education.
Legal implications of data-
driven decision making
Mag. Bettina Höchtl
Samos, June 2019

June 2019 | Page 2
www.donau-uni.ac.at
 Doctoral candidate (2019)
 Member of scientific staff (Danube
University Krems, 2014-present)
 Associate (Lawyer’s office, 2012-
2013)
 Trainee (Regional Criminal Court
Vienna, County Court Schwechat,
2011-2012)
 Master of Law (University of Vienna
2011)
05.07.2019

June 2019 | Page 3
www.donau-uni.ac.at
Key aims of the lecture
 Basic introduction & general insights into
General Data Protection Regulation (GDPR)
 Examples how GDPR affects certain
technology use
05.07.2019

June 2019 | Page 4
www.donau-uni.ac.at
Agenda
I. Introduction
II. GDPR – Basic overview
a. Aims
b. Fundamental Concepts
c. Key Roles
d. Principles
III. Decision making and Art
22 GDPR
IV. Discussion of the GDPRs
impact on concrete cases
a. Research Project
SmartGov - Smart
Governance
b. Autonomous systems
V. Quiz & Discussion

June 2019 | Page 5
www.donau-uni.ac.at
I. Introduction
What is data-driven decision making?
 Different approaches
– Additional sources for a broader decision making
basis
– Suggestions for decisions
– Actual decision making through the system
 Various application scenarios
05.07.2019

June 2019 | Page 6
www.donau-uni.ac.at
Why data-driven decision making?
…from the PA-perspective
 Better decisions?
– Additional information providing insights policy makers didn’t have before
– Mc Afee and Brynjolfsson 2012: “The evidence is clear: Data-driven decisions tend to
be better decisions.”
 Principle of outcome-orientation
– Measurable Results
– Indicators & Comparisons
 Limited budget & personnel resources
– Free personnel from routine tasks through technological support
– Data production increases: more efficiency using existing resources
05.07.2019

June 2019 | Page 7
www.donau-uni.ac.at
Why data-driven decision making?
…from the citizen- and the economic perspective
 Citizens
– Data-driven decision making as
the “engine of accountability”
in educational context (Isaacs 2003)
– Transparency –
comprehensibility - citizen
participation
• Background information
• Implications: other policy domains
 Economy
– Use as management tool in
companies (Mc Afee and Brynjolfsson 2012)
05.07.2019

June 2019 | Page 8
www.donau-uni.ac.at
Constitution
e.g. Rule of
Law
Data
protection
Copyright
Data driven decision making touches
various areas of law
Procedural
Rights
Other
aspects
05.07.2019

June 2019 | Page 9
www.donau-uni.ac.at
How data-driven decision making?
Variety of Types
 Fully automated or partly automated
 (In-)Applicability of Art 22 GDPR
– Automated individual decision-making according to Art 22 GDPR
– Profiling according to Art 22 GDPR
Special requirements of Art 22 GDPR – to be met in addition
to the general data protection principles!
05.07.2019

June 2019 | Page 10
www.donau-uni.ac.at
Application areas of data driven
decision-making
Use in education cf. Mandinach 2012; WP 29 (2018) refers to Guidelines on automated decision making, p. 5
 Areas mentioned by WP 29 (2018):
 Taxation
 Insurance
 Marketing
 Advertising
 Healthcare
 Finance
 Other areas
 Education
 Credit bureaus / score
 Job application / Labour market– Austrian labour market service (probable duration
of unemployment)
05.07.2019

June 2019 | Page 11
www.donau-uni.ac.at
Potentials & Challenges
Tailor services to individual
needs* (medicine,
education)
Enhance efficiency with
limited (personnel)
resources
Discovery of new
correlations
Restrict people to their
preferences*
Perpetuate existing
stereotypes*
Discrimination, Bias in
algorithms
(*Cf. WP 29 (2018) Guidelines on automated decision making, p. 5)
05.07.2019

June 2019 | Page 12
www.donau-uni.ac.at
Agenda
I. Introduction
a. Aims
c. Key Roles
d. Principles
22 GDPR
impact on concrete cases
a. Research Project
SmartGov - Smart
Governance

June 2019 | Page 13
www.donau-uni.ac.at
www.donau-uni.ac.at
http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=OJ:L:2016:119:TOC
II. GDPR-Basic Overview
a. Aims

June 2019 | Page 14
www.donau-uni.ac.at
Underlying Considerations
Dual Objectives
 Technological development as challenge for data protection (Recital 6)
– Increase of exchange of personal data (companies, authorities)
– Publication of personal data (individuals)
 Contribution to economic and social progress (Recital 2)
– Strengthening of the economies within the internal market
– Well-being of natural persons
 Enhancement of trust, security and control (Recital 7)
– Trust and security as a basis for economic growth
– Natural persons should control their own data
05.07.2019

June 2019 | Page 15
www.donau-uni.ac.at
Crucial: Personal data & anonymisation
pixel2013 / 2165 images Pixabay License Free for commercial use No attribution required https://pixabay.com/photos/crocodile-alligator-reptile-animal-4017958/
05.07.2019

June 2019 | Page 16
www.donau-uni.ac.at
Is this personal data?
Picture references see References at the end of these slides
05.07.2019

June 2019 | Page 17
www.donau-uni.ac.at
Is this personal data?
05.07.2019

June 2019 | Page 18
www.donau-uni.ac.at
Relation to an individual person
05.07.2019

June 2019 | Page 19
www.donau-uni.ac.at
Relation to a group
05.07.2019

June 2019 | Page 20
www.donau-uni.ac.at
Personal vs. Anonymous Data
 Is personal data involved?
– Personal data
– Non personal data
– Previously personal data
 Anonymous information (Recital 26)
– information which does not relate
• to an identified or
• identifiable natural person or
– personal data rendered anonymous in such a manner that the data subject
is not or no longer identifiable
“the question of whether
data relate to a certain
person is something that
has to be answered for
each specific data item on
its own merits“ (WP 29
4/2007, 12)
05.07.2019

June 2019 | Page 21
www.donau-uni.ac.at
www.donau-uni.ac.at
Anonymisation
Absolute Theory vs. Relative Theory
ECJ judged that a dynamic IP-
address is personal data for the
• operator of a website when
he has
• legal means which allow him
to have the person identified
through
• combination with additional
information available for the
person’s internet service
provider (ECJ, C 582/14, 49)
Recital 26:
To determine whether a
natural person is
identifiable account should
be taken of
• all the means reasonably
likely to be used,
• either by the controller
or
• by another person
to identify the natural
person

June 2019 | Page 22
www.donau-uni.ac.at
„What can I do to anonymise my
dataset?“
 GDPR provides minimum Standards
= State of the art, but no technical requirements for anonymisation(Klar and Kühling
in Kühling and buchner 2017, Art 4 Nr. 1 mn 33)
 Privacy enhancing technologies (PETs)
– E.g. aggregation (Hoepman 2014)
 In case of doubt better qualify as personal data
05.07.2019

June 2019 | Page 23
www.donau-uni.ac.at
c. Key Roles
What roles does the GDPR provide?
 Three main actors Controller
Data Subject Processor
05.07.2019

June 2019 | Page 24
www.donau-uni.ac.at
Teritorial scope (Art 3 GDPR)
Processing activities linked to
– An establishment of a controller or a processor in
the EU, regardless of whether the processing takes
place in the EU or not
or
– The data subject being in the EU and being
• Offered goods and services or
• Behaviourally monitored
05.07.2019

June 2019 | Page 25
www.donau-uni.ac.at
www.donau-uni.ac.at
Controller and Data Subject
Controller
Main Responsibility:
Demonstration of compliance
to data protection principles
(Art 5 GDPR)
Data Subject
Data Subject‘s Rights:
Art 12-20 GDPR
Means & purpose of
processing
Individual natural person the
personal data can be related to
o Lawfulness
o Purpose Limitation
o Data Minimisation
o Storage Limitation,…
o Access
o Rectificaton
o Erasure
o Data Portability,…

June 2019 | Page 26
www.donau-uni.ac.at
d. Principles
Art 5 GDPR
 Lawfulness, Fairness & Transparency
 E.g. obtain consent, no discrimination (e.g. insurance), provision of information (collected data, use of
automated decision-making, its logic and consequences)
 Purpose Limitation, Data Minimisation, Storage Limitation
 E.g. do not keep the data after the purpose has been met
 Ano-/Pseudonymise data as soon as possible with regard to the purpose (justification)
 Accuracy
 Enable the data subject to correct data, inaccurate data may result in wrong inferences
 Ensure measures for verifying accuracy & up-to-dateness repeatedly
cf. WP 29, Guidelines on automated decision-making, 10-12
To be complied with no matter what type of (processing or) decision-making is at hand!
Technical requirements not entirely clear!
05.07.2019

June 2019 | Page 27
www.donau-uni.ac.at
www.donau-uni.ac.at
Lawfulness of processing data – Art 6 GDPR
Consent
Legally recognized reason why
the processing is necessary
Performance of a contract
Legal obligation
Vital interests
Task in the public interest
Legitimate interests

June 2019 | Page 28
www.donau-uni.ac.at
Yes
- Strong limitations for
processing
- Economy is
dependent on the
legal framwork
(enable use of data)
No
 If citizens‘ trust in economy is a determinant
factor in economic growth:
 Transparent compliance to strong data protection
principles will potentially increase citizens‘ trust in the
data economy and thus
 Support data economy in developing its full potential
 Not as contradictory as it may seem!
Making economic use of data and protecting
individuals from full transparency: an opposing pair?
Mutually contradictory aspects?
Cf. Höchtl 2018

June 2019 | Page 29
www.donau-uni.ac.at
Agenda
I. Introduction
a. Data protection role
concept
b. General data protection
principles
22 GDPR
impact on concrete cases:
a. Research Project
SmartGov - Smart
Governance

June 2019 | Page 30
www.donau-uni.ac.at
The data subject shall have the right not to be subject to a decision with certain
characteristics:
 How the decision was made: based solely on automated processing, including
profiling
 What follows from the decision: legal effects concerning the data subject or similar
significant effect
– Example for a decision with legal effects: termination of a contract (Feiler/Forgó 2017, EU-DSGVO Art 22 mn 3)
– Example for a data subject being “similarly significantly” affected: exclusion of a job applicant solely
through an automated process (Feiler/Forgó 2017, EU-DSGVO Art 22 mn 4)
 Exceptions: When is automated individual decision making legally admissible?
– Necessity for contract data subject – data controller
– Union or Member State law: safeguards + legitimate interests
– Explicit consent
III. Decision Making & Art 22 GDPR
05.07.2019

June 2019 | Page 31
www.donau-uni.ac.at
Art 22 GDPR: Automated individual
decision-making
 In case of contract or consent: special safeguard measures, at
least the following rights for the data subject
 to obtain human intervention on the part of the controller,
 to express his point of view and
 to contest the decision
 Art 22 restricts decisions based on special categories of data
to
- Explicit consent or
- Union or Member State law setting out a reason of substantial public interest
for the processing (cf. (a) or (g) of Art 9 (2) GDPR)
05.07.2019

June 2019 | Page 32
www.donau-uni.ac.at
Profiling according to the GDPR
 Definition in Art 4 (4) GDPR: ‘profiling’ means any form of
– automated processing of personal data consisting of the use of personal data to
– evaluate certain personal aspects relating to a natural person, in particular to
– analyse or predict aspects concerning that natural person's
• performance at work,
• economic situation,
• health,
• personal preferences,
• interests,
• reliability,
• behaviour,
• location or movements;
 Information about an individual (or a group) is assessed and the individual
(group) is categorized e.g. to analyse or predict abilities to perform
tasks/interests/a behavior (cf. WP 29, Guidelines on automated decision-making, 7)
05.07.2019

June 2019 | Page 33
www.donau-uni.ac.at
Human involvement
 Profiling defined as “automated processing (…)”
 “human involvement does not necessarily take the activity out of the
definition” (WP 29, Guidelines on automated decision-making, 7)
– Pretending human involvement without real influence will not suffice
– Competence to change the decision (cf. WP 29, Guidelines on automated decision-making, 21; Buchner in Kühling/Buchner, DS-
GVO 2017, Art 22 mn 15; Kamlah in Plath BDSG/DSGVO2, 2016,Art 22 DSGVO, mn 6 and § 6a BDSG mn 11-13)
Purpose: Art 22 GDPR especially aims at restricting scoring and profiling to avoid humans
being made the object of a purely machine-made decision (Forgó ZVR 2018/240, 455)
05.07.2019

June 2019 | Page 34
www.donau-uni.ac.at
GDPR does not restrict Profiling itself
 Mere creation of a profile is not regulated by
Art 22 GDPR, but
 Profiling which affects humans through
measures or decisions(Gierschmann et al. 2018, Art 22, mn 4)
05.07.2019

June 2019 | Page 35
www.donau-uni.ac.at
www.donau-uni.ac.at
General
Profiling
Decision-
Making based
on Profiling
Automated
decision-
making
including
profiling Art 22
A person applies
for a loan online…
Credit score A human decides
based on a purely
automatedly
produced profile
An algorithm
decides and this
decision is
automatically
delivered to the
receiver
(cf. WP 29, Guidelines on automated decision-making, 9)
Comparing Profiling to
Automated decision-making

June 2019 | Page 36
www.donau-uni.ac.at
Agenda
I. Introduction
concept
principles
22 GDPR
a. Research Project
SmartGov - Smart
Governance

June 2019 | Page 37
www.donau-uni.ac.at
IV. Discussion of the GDPRs impact on
concrete cases
 Research project Advanced decision support
for Smart Governance
 Research on data protection aspects of the
use of so-called „autonomous systems“
05.07.2019

June 2019 | Page 38
www.donau-uni.ac.at
www.donau-uni.ac.at

June 2019 | Page 39
www.donau-uni.ac.at
www.donau-uni.ac.at
Case 1: Advanced decision support for smart
governance (SmartGov)
 Aims
 Include existing data in decision making basis (e.g.
demographical, traffic)
 Simulate potential decision results
 Select the best decision
 Case: PA aims at basing decisions on optimizing waste
management on active & passive e-participation through
social media
 Active: citizens address PA, answering to questions
 Passive: PA analyses data citizens share in social media
Aims
Case
Legal Requirements

June 2019 | Page 40
www.donau-uni.ac.at
Parked carsDuration of
execution
No. Shops
Suitability
of route
Social Media Engine
FB Tw
Sentiment Analysis
Fuzzy Cognitive Map
Time Congestion TrafficWaste
amount
1. Depict relations: how do the
concepts influence each other?
2. Run simulations
- Scenario 1 change x results in
better or worse route suitability?
- Scenario 2 change y results in
better or worse route suitability?
Etc.
3. Choose best Scenario and decide
05.07.2019

June 2019 | Page 41
www.donau-uni.ac.at
Lawfulness (Art 6 GDPR):
Consent
 Does posting in social media publicly imply a
permission to use the data?
• No permission to an organization to process massive and
• Repetitive data without informing the data subjects
(French Supervisory Authority, Delibération 2011-203)
 Validity:
• Legal capacity
• Informedness
• Country-specific differences
Country Age Limit
Austria,
France
15
Cyprus 14
Netherlands 16 (= Art 8
(2) GDPR)
05.07.2019

June 2019 | Page 42
www.donau-uni.ac.at
Lawfulness (Art 6 GDPR):
Legal basis
 Legal obligation or task carried out by the controller in the
public interest (Art 6 (1) c and e GDPR)
 Requirements of Art 8 (2) European Convention for the
Protection of Human Rights and Fundamental Freedoms
(ECHR)  Especially pursuing the following interests
– National security, public safety,
– Economic well-being of the country,
– Prevention of disorder or crime,
– Protection of health or morals or protection of the rights and freedoms of
others
05.07.2019

June 2019 | Page 43
www.donau-uni.ac.at
Legal obligation and Art 8 ECHR
 Two potential argumentation lines
– Public safety (municipal traffic management)
– Economic well-being
• Optimization of services of general interest (such as
electricity, water and waste management)
• Budgetary rigor
 Do not extend search to whole network!
05.07.2019

June 2019 | Page 44
www.donau-uni.ac.at
Recommendation:
Data Protection Impact Assessment
 The WP 29 lists criteria which are decisive for the
requirement of a DPIA (WP 29, 2017, 9-10).
 Amongst others, the following are relevant for
SmartGov:
– Sensitive data or data of a highly personal nature (like
political opinions or location data)
– Data processing on a large scale
– Combining datasets
– Innovative use or applying new technological solutions
(like “Internet of Things” applications)
05.07.2019

June 2019 | Page 45
www.donau-uni.ac.at
Criteria for an acceptable DPIA:
Brief overview (WP 29 2017)
1. Description of the intended processing
2. Necessity and proportionality
3. Risk mitigation
4. Consultation with interested parties
Criteria for an acceptable DPIA (WP 29 2017, 22) partly extracted from SmartGov D2.4.2
05.07.2019

June 2019 | Page 50
www.donau-uni.ac.at
Summary
 DPIA!
 Lawfulness
– Consent
– Legal basis
– Research exception
• „Broader purpose“
• Research project „optimization of waste management“ /
„school routes“
05.07.2019

June 2019 | Page 51
www.donau-uni.ac.at
Agenda
I. Introduction
concept
principles
22 GDPR
a. Research Project
SmartGov - Smart
Governance

June 2019 | Page 52
www.donau-uni.ac.at
Case 2: Autonomous systems
 National and international
stakeholders
 European Parliament
European Parliament resolution of 16 February
2017 with recommendations to the
Commission on Civil Law Rules on Robotics
(2015/2103(INL))
 German and Austrian
Government ~ AI Strategy
 Consulting Agencies
Cf. Höchtl 2019

June 2019 | Page 53
www.donau-uni.ac.at
Research: Definition of AI
 No universally agreed definition
 Compared to human intelligence
 Difficulties
 Super Intelligence, Strong and Weak AI
 Fact: Programs won over humans
 „a system‘s ability to interpret external data correctly, to
learn from such data, and to use those learnings to
achieve specific goals and tasks through flexible
adaptation“(Kaplan/Haenlein 2018)
 Perception, Learning, Actions
Cf. Höchtl 2019

June 2019 | Page 54
www.donau-uni.ac.at
Autonomous System
 „Autonomous“ System – Ethical concerns
 Criteria for what constitutes an autonomous System?
Where to draw the line?
 Goal-orientation, autonomy, ability to learn, ability to react (Wiebe 2002)
 Deciding and implementing decisions without external control (EP 2017)
 Pursuing and changing own goals (Teubner 2018)
 Non-determination (Kirn/Müller-Hengstenberg 2014)
 „Self-regulation“: Application of the learned to a new situation in an
adapted form (Dumitrescu et al. 2018)
 Example: softwareagents/bots
 Pursue their user‘s goals
 „a program that acts independently on behalf of its user (…)“ (Vulkan 1999)
Cf. Höchtl 2019

June 2019 | Page 55
www.donau-uni.ac.at
Autonomous acting in the user‘s interest
requires knowing the user‘s preferences
Source Picture : https://pixabay.com/de/checkliste-2313804/ CC0 Creative Commons Freie
kommerzielle Nutzung; Kein Bildnachweis nötig

June 2019 | Page 56
www.donau-uni.ac.at
Examples for the use of a software agent
being within the scope of GDPR
 Data the user provides to the bot
 Additional data the bot can potentially collect
Type of data* Relation to a person
Data about the Device (smartphone, notebook):
- IP-address, serial number
- battery, error logs, internet connection, brand
Conclusions concerning location, financial background,
values
Information linked to the use:
- Typing
- Personalised aspects (background picture, alarm
time, apps, stored data)
- Sensor data
Conclusions concerning mood, preferences
*Based on the categories of data in context of autonomous driving identified by Klink/Straub/Straub 2018
Cf. Höchtl 2019

June 2019 | Page 57
www.donau-uni.ac.at
AI as Controller?
 Controller
 Art 4 Z 7 GDPR: Decision on purpose and means of processing
 Factual power to decide , not necessarily legally admissible (WP 29
Stellungnahme 1/2010)
 Looking back: Autonomy is characterised through making decisions
and implementing them without external control (EP 2017)
 Legal classification of AI?
The user uses AI as a tool to make his
declaration of intent. The user accepts
the result when approving the
parameters of the system. (Rabl 2017)
Use of a system marked as autonomous
system, representative with limited legal
capacity for conclusions of contracts
(Specht/Herold 2018)
No human consciousness – no formation
of a declaration of will– no legal
personhood
(Köbrich/Froitzheim 2017)
Liability of the AI itself or as vicarious
liability – If the robot can think
independently, then he can also act
culpably. (Kessler 2017)
Cf. Höchtl 2019

June 2019 | Page 58
www.donau-uni.ac.at
Responsibility – Control
Who controls AI?
 User
 Bot as processor?
 Bot as tool
 Person with kill-switch
 Control of the running system?
 Both bot and user
 Shared Responsibility
 Joint controllers (Art 26 GDPR)
 Bot
 System as controller
 Legal capacity?
 Too far-fetched? E.g. USA: AI as „driver“(Eisenberger et al. 2016)
Source Picture: https://pixabay.com/de/steuermann-steuerrad-kapit%C3%A4n-2789168/
Pixabay License Freie kommerzielle Nutzung Kein Bildnachweis nötigCf. Höchtl 2019

June 2019 | Page 59
www.donau-uni.ac.at
Data Subject‘s Rights
 Information: Label bot as a bot?
 Autonomous System as controller: Labelling obligation?
 First answer or in advance of start of the conversation (general discussion on
labelling requirement e.g. Köbrich/Froitzheim 2017)
 Lack of standards for implementation
 Erasure: Removal from search index, overwrite, back-ups, especially
where interconnected systems are concerned
 Technically, data is „deleted“ through highlighting it as deleted and
removing them from the search index (Villaronga/Kieseberg/Li 2018)
 Data portability in cases of more than one data subject being affected
(Kamann/Braun in Ehmann/Selmayr (2017), Art 20 mn 31)
Cf. Höchtl 2019

June 2019 | Page 60
www.donau-uni.ac.at
Agenda
I. Introduction
concept
principles
22 GDPR
a. Research Project
SmartGov - Smart
Governance

June 2019 | Page 61
www.donau-uni.ac.at
V. Quiz (1/2)
 What does the GDPR aim at?
– Support data economy & enhance trust
 What is personal data?
– Link to an individual (natural) person
 What is purpose limitation?
– Data shall be used for no purpose other than the one
the data was collected for (exceptions e.g. research)
05.07.2019

June 2019 | Page 62
www.donau-uni.ac.at
Quiz (2/2)
 What is a data protection impact assessment?
– Necessary when certain conditions are met
– Description of the processing, risk and mitigation
measures
 If someone asks you about legal challenges of
autonomous systems, what will you answer?
– Obligations – control: Who controls an autonomous
system?
05.07.2019

June 2019 | Page 63
www.donau-uni.ac.at
Discussion
 What should be the criteria for autonomous
systems, which they should apply when balancing
different legal assets against each other? (Kessler 2017)
 How can an uninfluenced development of
humans as goal of the use of autonomous
systems be reached and how can the law provide
guidance for the system with regard to what is
„the good“? (Europ. Gruppe für Ethik der Naturwissenschaften und der Neuen Technologien für EK 2018)
05.07.2019

June 2019 | Page 64
www.donau-uni.ac.at
Danube University Krems.
University for Continuing Education.
Questions?
bettina.hoechtl@donau-uni.ac.at
http://www.donau-uni.ac.at/ega
Dr.-Karl-Dorrek-Straße 30
3500 Krems
Austria
Thank you
for your attention!

June 2019 | Page 65
www.donau-uni.ac.at
Further Reading
 GDPR, multilingual display and documents related to the GDPR
https://eur-lex.europa.eu/legal-
content/EN/TXT/?uri=celex%3A32016R0679
 European Data Protection Board‘s (https://edpb.europa.eu/) endorsement
of the WP 29‘s guidelines
https://edpb.europa.eu/sites/edpb/files/files/news/endorsement_of_wp2
9_documents_en_0.pdf
 Hoepman (2014), Privacy Design Strategies in ICT Systems Security and
Privacy Protection (SEC), Marrakesh, Morocco, Springer, 446-459.
05.07.2019

June 2019 | Page 66
www.donau-uni.ac.at
Selected References
 Mandinach, E. B. (2012), A Perfect Time for Data Use: Using Data-Driven Decision Making to Inform Practice, Educational Psychologist Vol. 47, Issue 2, 71-85.
 WP 29 (2018), Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679
 Feiler, L. and Forgó, N. (2017), EU-DSGVO, Verlag Österreich
 Isaacs, M. L. (2003), Data-Driven Decision Making: The Engine of Accountability, Professional School Counseling, Vol. 6, No. 4, Special Issue: Carreer Development and
the changing workplace, 288-295.
 Mc Afee, A. and Brynjolfsson, E. (2012), Big Data: The Management Revolution, Harvard Business Review, 3-9.
 WP 29 (2017), Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is „likely to result in a high risk“ for the purposes of
Regulation 2016/679
 Kaplan, A. and Haenlein, M. (2019), Siri, Siri, in my hand: Who’s the fairest in the land? On the interpretations, illustrations, and implications of artificial intelligence,
Business Horizons, Vol. 62, Issue 1, January-February 2019, 15-25.
 Wiebe, A. (2002), Die elektronische Willenserklärung, J.C.B. Mohr (Paul Siebeck), Tübingen.
 Kirn and Müller-Hengstenberg, Intelligente (Software-)Agenten: Von der Automatisierung zur Autonomie? Verselbständigung technischer Systeme, MMR 2014, 225
(229).
 Dumitrescu et al. (2018), Studie „Autonome Systeme“, Studien zum deutschen Innovationssystem, No. 13-2018, Expertenkommission Forschung und Innovation (EFI),
Berlin.
 Vulkan (1999), The Economic Journal 109 (February), USA, F 67-F90 (F86).
 Eisenberger, Gruber, Huber, Lachmayer, Automatisiertes Fahren Komplexe regulatorische Herausforderungen, ZVR 2016/158, 383.
 Höchtl (2018) Making Economic Use of Data and Protecting Individuals from Full Transparency: An Opposing Pair? Medien und Recht International,
2018 (vol. 15), Heft 2/18: 74-76.
 Höchtl (2019) in Schweighofer/Kummer, Saarenpää (eds.), Internet of Things, Proceedings of the 22nd International Legal Informatics Symposium IRIS
2019, Datenschutzrechtliche Implikationen autonomer Systeme, 169-176.
 Köbrich and Froitzheim, Lass uns quatschen – Werbliche Kommunikation mit Chatbots, WRP 10/2017, 1188.
 Villaronga/Kieseberg/Li 2018), Humans forget, machines remember: Artificial intelligence and the Right to Be Forgotten, Computer Law & Security Review 34, Elsevier,
(2018) 304-313, S. 309-313.
 Ehmann/Selmayr 2017, DS-GVO, C.H.BECK LexisNexis, München
05.07.2019

June 2019 | Page 89
www.donau-uni.ac.at
Exercises
 Pick an issue
 Structure & Process
 Discussion
 Supervisor
 Deadline
05.07.2019

Legal Implications of data-driven decision making

Recomendados

Recomendados

Más contenido relacionado

Similar a Legal Implications of data-driven decision making

Similar a Legal Implications of data-driven decision making (20)

Más de Samos2019Summit

Más de Samos2019Summit (20)

Último

Último (20)

Legal Implications of data-driven decision making