1. Danube University Krems. University for Continuing Education.
June 2019 | Page 1
www.donau-uni.ac.at
Danube University Krems.
University for Continuing Education.
Legal implications of data-
driven decision making
Mag. Bettina Höchtl
Samos, June 2019
2. Danube University Krems. University for Continuing Education.
June 2019 | Page 2
www.donau-uni.ac.at
Mag. Bettina Höchtl
Doctoral candidate (2019)
Member of scientific staff (Danube
University Krems, 2014-present)
Associate (Lawyer’s office, 2012-
2013)
Trainee (Regional Criminal Court
Vienna, County Court Schwechat,
2011-2012)
Master of Law (University of Vienna
2011)
05.07.2019
3. Danube University Krems. University for Continuing Education.
June 2019 | Page 3
www.donau-uni.ac.at
Key aims of the lecture
Basic introduction & general insights into
General Data Protection Regulation (GDPR)
Examples how GDPR affects certain
technology use
05.07.2019
4. Danube University Krems. University for Continuing Education.
June 2019 | Page 4
www.donau-uni.ac.at
Danube University Krems. University for Continuing Education.
Agenda
I. Introduction
II. GDPR – Basic overview
a. Aims
b. Fundamental Concepts
c. Key Roles
d. Principles
III. Decision making and Art
22 GDPR
IV. Discussion of the GDPRs
impact on concrete cases
a. Research Project
SmartGov - Smart
Governance
b. Autonomous systems
V. Quiz & Discussion
5. Danube University Krems. University for Continuing Education.
June 2019 | Page 5
www.donau-uni.ac.at
I. Introduction
What is data-driven decision making?
Different approaches
– Additional sources for a broader decision making
basis
– Suggestions for decisions
– Actual decision making through the system
Various application scenarios
05.07.2019
6. Danube University Krems. University for Continuing Education.
June 2019 | Page 6
www.donau-uni.ac.at
Why data-driven decision making?
…from the PA-perspective
Better decisions?
– Additional information providing insights policy makers didn’t have before
– Mc Afee and Brynjolfsson 2012: “The evidence is clear: Data-driven decisions tend to
be better decisions.”
Principle of outcome-orientation
– Measurable Results
– Indicators & Comparisons
Limited budget & personnel resources
– Free personnel from routine tasks through technological support
– Data production increases: more efficiency using existing resources
05.07.2019
7. Danube University Krems. University for Continuing Education.
June 2019 | Page 7
www.donau-uni.ac.at
Why data-driven decision making?
…from the citizen- and the economic perspective
Citizens
– Data-driven decision making as
the “engine of accountability”
in educational context (Isaacs 2003)
– Transparency –
comprehensibility - citizen
participation
• Background information
• Implications: other policy domains
Economy
– Use as management tool in
companies (Mc Afee and Brynjolfsson 2012)
05.07.2019
8. Danube University Krems. University for Continuing Education.
June 2019 | Page 8
www.donau-uni.ac.at
Constitution
e.g. Rule of
Law
Data
protection
Copyright
Data driven decision making touches
various areas of law
Procedural
Rights
Other
aspects
05.07.2019
9. Danube University Krems. University for Continuing Education.
June 2019 | Page 9
www.donau-uni.ac.at
How data-driven decision making?
Variety of Types
Fully automated or partly automated
(In-)Applicability of Art 22 GDPR
– Automated individual decision-making according to Art 22 GDPR
– Profiling according to Art 22 GDPR
Special requirements of Art 22 GDPR – to be met in addition
to the general data protection principles!
05.07.2019
10. Danube University Krems. University for Continuing Education.
June 2019 | Page 10
www.donau-uni.ac.at
Application areas of data driven
decision-making
Use in education cf. Mandinach 2012; WP 29 (2018) refers to Guidelines on automated decision making, p. 5
Areas mentioned by WP 29 (2018):
Taxation
Insurance
Marketing
Advertising
Healthcare
Finance
Other areas
Education
Credit bureaus / score
Job application / Labour market– Austrian labour market service (probable duration
of unemployment)
05.07.2019
11. Danube University Krems. University for Continuing Education.
June 2019 | Page 11
www.donau-uni.ac.at
Potentials & Challenges
Tailor services to individual
needs* (medicine,
education)
Enhance efficiency with
limited (personnel)
resources
Discovery of new
correlations
Restrict people to their
preferences*
Perpetuate existing
stereotypes*
Discrimination, Bias in
algorithms
(*Cf. WP 29 (2018) Guidelines on automated decision making, p. 5)
05.07.2019
12. Danube University Krems. University for Continuing Education.
June 2019 | Page 12
www.donau-uni.ac.at
Danube University Krems. University for Continuing Education.
Agenda
I. Introduction
II. GDPR – Basic overview
a. Aims
b. Fundamental Concepts
c. Key Roles
d. Principles
III. Decision making and Art
22 GDPR
IV. Discussion of the GDPRs
impact on concrete cases
a. Research Project
SmartGov - Smart
Governance
b. Autonomous systems
V. Quiz & Discussion
13. Danube University Krems. University for Continuing Education.
June 2019 | Page 13
www.donau-uni.ac.at
Danube University Krems. University for Continuing Education.
www.donau-uni.ac.at
http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=OJ:L:2016:119:TOC
II. GDPR-Basic Overview
a. Aims
14. Danube University Krems. University for Continuing Education.
June 2019 | Page 14
www.donau-uni.ac.at
Underlying Considerations
Dual Objectives
Technological development as challenge for data protection (Recital 6)
– Increase of exchange of personal data (companies, authorities)
– Publication of personal data (individuals)
Contribution to economic and social progress (Recital 2)
– Strengthening of the economies within the internal market
– Well-being of natural persons
Enhancement of trust, security and control (Recital 7)
– Trust and security as a basis for economic growth
– Natural persons should control their own data
05.07.2019
15. Danube University Krems. University for Continuing Education.
June 2019 | Page 15
www.donau-uni.ac.at
b. Fundamental Concepts
Crucial: Personal data & anonymisation
pixel2013 / 2165 images Pixabay License Free for commercial use No attribution required https://pixabay.com/photos/crocodile-alligator-reptile-animal-4017958/
05.07.2019
16. Danube University Krems. University for Continuing Education.
June 2019 | Page 16
www.donau-uni.ac.at
Is this personal data?
Picture references see References at the end of these slides
05.07.2019
17. Danube University Krems. University for Continuing Education.
June 2019 | Page 17
www.donau-uni.ac.at
Is this personal data?
05.07.2019
18. Danube University Krems. University for Continuing Education.
June 2019 | Page 18
www.donau-uni.ac.at
Relation to an individual person
05.07.2019
19. Danube University Krems. University for Continuing Education.
June 2019 | Page 19
www.donau-uni.ac.at
Relation to a group
05.07.2019
20. Danube University Krems. University for Continuing Education.
June 2019 | Page 20
www.donau-uni.ac.at
Personal vs. Anonymous Data
Is personal data involved?
– Personal data
– Non personal data
– Previously personal data
Anonymous information (Recital 26)
– information which does not relate
• to an identified or
• identifiable natural person or
– personal data rendered anonymous in such a manner that the data subject
is not or no longer identifiable
“the question of whether
data relate to a certain
person is something that
has to be answered for
each specific data item on
its own merits“ (WP 29
4/2007, 12)
05.07.2019
21. Danube University Krems. University for Continuing Education.
June 2019 | Page 21
www.donau-uni.ac.at
Danube University Krems. University for Continuing Education.
www.donau-uni.ac.at
Anonymisation
Absolute Theory vs. Relative Theory
ECJ judged that a dynamic IP-
address is personal data for the
• operator of a website when
he has
• legal means which allow him
to have the person identified
through
• combination with additional
information available for the
person’s internet service
provider (ECJ, C 582/14, 49)
Recital 26:
To determine whether a
natural person is
identifiable account should
be taken of
• all the means reasonably
likely to be used,
• either by the controller
or
• by another person
to identify the natural
person
22. Danube University Krems. University for Continuing Education.
June 2019 | Page 22
www.donau-uni.ac.at
„What can I do to anonymise my
dataset?“
GDPR provides minimum Standards
= State of the art, but no technical requirements for anonymisation(Klar and Kühling
in Kühling and buchner 2017, Art 4 Nr. 1 mn 33)
Privacy enhancing technologies (PETs)
– E.g. aggregation (Hoepman 2014)
In case of doubt better qualify as personal data
05.07.2019
23. Danube University Krems. University for Continuing Education.
June 2019 | Page 23
www.donau-uni.ac.at
c. Key Roles
What roles does the GDPR provide?
Three main actors Controller
Data Subject Processor
05.07.2019
24. Danube University Krems. University for Continuing Education.
June 2019 | Page 24
www.donau-uni.ac.at
Teritorial scope (Art 3 GDPR)
Processing activities linked to
– An establishment of a controller or a processor in
the EU, regardless of whether the processing takes
place in the EU or not
or
– The data subject being in the EU and being
• Offered goods and services or
• Behaviourally monitored
05.07.2019
25. Danube University Krems. University for Continuing Education.
June 2019 | Page 25
www.donau-uni.ac.at
Danube University Krems. University for Continuing Education.
www.donau-uni.ac.at
Controller and Data Subject
Controller
Main Responsibility:
Demonstration of compliance
to data protection principles
(Art 5 GDPR)
Data Subject
Data Subject‘s Rights:
Art 12-20 GDPR
Means & purpose of
processing
Individual natural person the
personal data can be related to
o Lawfulness
o Purpose Limitation
o Data Minimisation
o Storage Limitation,…
o Access
o Rectificaton
o Erasure
o Data Portability,…
26. Danube University Krems. University for Continuing Education.
June 2019 | Page 26
www.donau-uni.ac.at
d. Principles
Art 5 GDPR
Lawfulness, Fairness & Transparency
E.g. obtain consent, no discrimination (e.g. insurance), provision of information (collected data, use of
automated decision-making, its logic and consequences)
Purpose Limitation, Data Minimisation, Storage Limitation
E.g. do not keep the data after the purpose has been met
Ano-/Pseudonymise data as soon as possible with regard to the purpose (justification)
Accuracy
Enable the data subject to correct data, inaccurate data may result in wrong inferences
Ensure measures for verifying accuracy & up-to-dateness repeatedly
cf. WP 29, Guidelines on automated decision-making, 10-12
To be complied with no matter what type of (processing or) decision-making is at hand!
Technical requirements not entirely clear!
05.07.2019
27. Danube University Krems. University for Continuing Education.
June 2019 | Page 27
www.donau-uni.ac.at
Danube University Krems. University for Continuing Education.
www.donau-uni.ac.at
Lawfulness of processing data – Art 6 GDPR
Consent
Legally recognized reason why
the processing is necessary
Performance of a contract
Legal obligation
Vital interests
Task in the public interest
Legitimate interests
28. Danube University Krems. University for Continuing Education.
June 2019 | Page 28
www.donau-uni.ac.at
Yes
- Strong limitations for
processing
- Economy is
dependent on the
legal framwork
(enable use of data)
No
If citizens‘ trust in economy is a determinant
factor in economic growth:
Transparent compliance to strong data protection
principles will potentially increase citizens‘ trust in the
data economy and thus
Support data economy in developing its full potential
Not as contradictory as it may seem!
Making economic use of data and protecting
individuals from full transparency: an opposing pair?
Mutually contradictory aspects?
Cf. Höchtl 2018
29. Danube University Krems. University for Continuing Education.
June 2019 | Page 29
www.donau-uni.ac.at
Danube University Krems. University for Continuing Education.
Agenda
I. Introduction
II. GDPR – Basic overview
a. Data protection role
concept
b. General data protection
principles
III. Decision making and Art
22 GDPR
IV. Discussion of the GDPRs
impact on concrete cases:
a. Research Project
SmartGov - Smart
Governance
b. Autonomous systems
V. Quiz & Discussion
30. Danube University Krems. University for Continuing Education.
June 2019 | Page 30
www.donau-uni.ac.at
The data subject shall have the right not to be subject to a decision with certain
characteristics:
How the decision was made: based solely on automated processing, including
profiling
What follows from the decision: legal effects concerning the data subject or similar
significant effect
– Example for a decision with legal effects: termination of a contract (Feiler/Forgó 2017, EU-DSGVO Art 22 mn 3)
– Example for a data subject being “similarly significantly” affected: exclusion of a job applicant solely
through an automated process (Feiler/Forgó 2017, EU-DSGVO Art 22 mn 4)
Exceptions: When is automated individual decision making legally admissible?
– Necessity for contract data subject – data controller
– Union or Member State law: safeguards + legitimate interests
– Explicit consent
III. Decision Making & Art 22 GDPR
05.07.2019
31. Danube University Krems. University for Continuing Education.
June 2019 | Page 31
www.donau-uni.ac.at
Art 22 GDPR: Automated individual
decision-making
In case of contract or consent: special safeguard measures, at
least the following rights for the data subject
to obtain human intervention on the part of the controller,
to express his point of view and
to contest the decision
Art 22 restricts decisions based on special categories of data
to
- Explicit consent or
- Union or Member State law setting out a reason of substantial public interest
for the processing (cf. (a) or (g) of Art 9 (2) GDPR)
05.07.2019
32. Danube University Krems. University for Continuing Education.
June 2019 | Page 32
www.donau-uni.ac.at
Profiling according to the GDPR
Definition in Art 4 (4) GDPR: ‘profiling’ means any form of
– automated processing of personal data consisting of the use of personal data to
– evaluate certain personal aspects relating to a natural person, in particular to
– analyse or predict aspects concerning that natural person's
• performance at work,
• economic situation,
• health,
• personal preferences,
• interests,
• reliability,
• behaviour,
• location or movements;
Information about an individual (or a group) is assessed and the individual
(group) is categorized e.g. to analyse or predict abilities to perform
tasks/interests/a behavior (cf. WP 29, Guidelines on automated decision-making, 7)
05.07.2019
33. Danube University Krems. University for Continuing Education.
June 2019 | Page 33
www.donau-uni.ac.at
Human involvement
Profiling defined as “automated processing (…)”
“human involvement does not necessarily take the activity out of the
definition” (WP 29, Guidelines on automated decision-making, 7)
– Pretending human involvement without real influence will not suffice
– Competence to change the decision (cf. WP 29, Guidelines on automated decision-making, 21; Buchner in Kühling/Buchner, DS-
GVO 2017, Art 22 mn 15; Kamlah in Plath BDSG/DSGVO2, 2016,Art 22 DSGVO, mn 6 and § 6a BDSG mn 11-13)
Purpose: Art 22 GDPR especially aims at restricting scoring and profiling to avoid humans
being made the object of a purely machine-made decision (Forgó ZVR 2018/240, 455)
05.07.2019
34. Danube University Krems. University for Continuing Education.
June 2019 | Page 34
www.donau-uni.ac.at
GDPR does not restrict Profiling itself
Mere creation of a profile is not regulated by
Art 22 GDPR, but
Profiling which affects humans through
measures or decisions(Gierschmann et al. 2018, Art 22, mn 4)
05.07.2019
35. Danube University Krems. University for Continuing Education.
June 2019 | Page 35
www.donau-uni.ac.at
Danube University Krems. University for Continuing Education.
www.donau-uni.ac.at
General
Profiling
Decision-
Making based
on Profiling
Automated
decision-
making
including
profiling Art 22
A person applies
for a loan online…
Credit score A human decides
based on a purely
automatedly
produced profile
An algorithm
decides and this
decision is
automatically
delivered to the
receiver
(cf. WP 29, Guidelines on automated decision-making, 9)
Comparing Profiling to
Automated decision-making
36. Danube University Krems. University for Continuing Education.
June 2019 | Page 36
www.donau-uni.ac.at
Danube University Krems. University for Continuing Education.
Agenda
I. Introduction
II. GDPR – Basic overview
a. Data protection role
concept
b. General data protection
principles
III. Decision making and Art
22 GDPR
IV. Discussion of the GDPRs
impact on concrete cases:
a. Research Project
SmartGov - Smart
Governance
b. Autonomous systems
V. Quiz & Discussion
37. Danube University Krems. University for Continuing Education.
June 2019 | Page 37
www.donau-uni.ac.at
IV. Discussion of the GDPRs impact on
concrete cases
Research project Advanced decision support
for Smart Governance
Research on data protection aspects of the
use of so-called „autonomous systems“
05.07.2019
38. Danube University Krems. University for Continuing Education.
June 2019 | Page 38
www.donau-uni.ac.at
Danube University Krems. University for Continuing Education.
www.donau-uni.ac.at
39. Danube University Krems. University for Continuing Education.
June 2019 | Page 39
www.donau-uni.ac.at
Danube University Krems. University for Continuing Education.
www.donau-uni.ac.at
Case 1: Advanced decision support for smart
governance (SmartGov)
Aims
Include existing data in decision making basis (e.g.
demographical, traffic)
Simulate potential decision results
Select the best decision
Case: PA aims at basing decisions on optimizing waste
management on active & passive e-participation through
social media
Active: citizens address PA, answering to questions
Passive: PA analyses data citizens share in social media
Aims
Case
Legal Requirements
40. Danube University Krems. University for Continuing Education.
June 2019 | Page 40
www.donau-uni.ac.at
Parked carsDuration of
execution
No. Shops
Suitability
of route
Social Media Engine
FB Tw
Sentiment Analysis
Fuzzy Cognitive Map
Time Congestion TrafficWaste
amount
1. Depict relations: how do the
concepts influence each other?
2. Run simulations
- Scenario 1 change x results in
better or worse route suitability?
- Scenario 2 change y results in
better or worse route suitability?
Etc.
3. Choose best Scenario and decide
05.07.2019
41. Danube University Krems. University for Continuing Education.
June 2019 | Page 41
www.donau-uni.ac.at
Lawfulness (Art 6 GDPR):
Consent
Does posting in social media publicly imply a
permission to use the data?
• No permission to an organization to process massive and
• Repetitive data without informing the data subjects
(French Supervisory Authority, Delibération 2011-203)
Validity:
• Legal capacity
• Informedness
• Country-specific differences
Country Age Limit
Austria,
France
15
Cyprus 14
Netherlands 16 (= Art 8
(2) GDPR)
05.07.2019
42. Danube University Krems. University for Continuing Education.
June 2019 | Page 42
www.donau-uni.ac.at
Lawfulness (Art 6 GDPR):
Legal basis
Legal obligation or task carried out by the controller in the
public interest (Art 6 (1) c and e GDPR)
Requirements of Art 8 (2) European Convention for the
Protection of Human Rights and Fundamental Freedoms
(ECHR) Especially pursuing the following interests
– National security, public safety,
– Economic well-being of the country,
– Prevention of disorder or crime,
– Protection of health or morals or protection of the rights and freedoms of
others
05.07.2019
43. Danube University Krems. University for Continuing Education.
June 2019 | Page 43
www.donau-uni.ac.at
Legal obligation and Art 8 ECHR
Two potential argumentation lines
– Public safety (municipal traffic management)
– Economic well-being
• Optimization of services of general interest (such as
electricity, water and waste management)
• Budgetary rigor
Do not extend search to whole network!
05.07.2019
44. Danube University Krems. University for Continuing Education.
June 2019 | Page 44
www.donau-uni.ac.at
Recommendation:
Data Protection Impact Assessment
The WP 29 lists criteria which are decisive for the
requirement of a DPIA (WP 29, 2017, 9-10).
Amongst others, the following are relevant for
SmartGov:
– Sensitive data or data of a highly personal nature (like
political opinions or location data)
– Data processing on a large scale
– Combining datasets
– Innovative use or applying new technological solutions
(like “Internet of Things” applications)
05.07.2019
45. Danube University Krems. University for Continuing Education.
June 2019 | Page 45
www.donau-uni.ac.at
Criteria for an acceptable DPIA:
Brief overview (WP 29 2017)
1. Description of the intended processing
2. Necessity and proportionality
3. Risk mitigation
4. Consultation with interested parties
Criteria for an acceptable DPIA (WP 29 2017, 22) partly extracted from SmartGov D2.4.2
05.07.2019
46. Danube University Krems. University for Continuing Education.
June 2019 | Page 50
www.donau-uni.ac.at
Summary
DPIA!
Lawfulness
– Consent
– Legal basis
– Research exception
• „Broader purpose“
• Research project „optimization of waste management“ /
„school routes“
05.07.2019
47. Danube University Krems. University for Continuing Education.
June 2019 | Page 51
www.donau-uni.ac.at
Danube University Krems. University for Continuing Education.
Agenda
I. Introduction
II. GDPR – Basic overview
a. Data protection role
concept
b. General data protection
principles
III. Decision making and Art
22 GDPR
IV. Discussion of the GDPRs
impact on concrete cases:
a. Research Project
SmartGov - Smart
Governance
b. Autonomous systems
V. Quiz & Discussion
48. Danube University Krems. University for Continuing Education.
June 2019 | Page 52
www.donau-uni.ac.at
Case 2: Autonomous systems
National and international
stakeholders
European Parliament
European Parliament resolution of 16 February
2017 with recommendations to the
Commission on Civil Law Rules on Robotics
(2015/2103(INL))
German and Austrian
Government ~ AI Strategy
Consulting Agencies
Cf. Höchtl 2019
49. Danube University Krems. University for Continuing Education.
June 2019 | Page 53
www.donau-uni.ac.at
Research: Definition of AI
No universally agreed definition
Compared to human intelligence
Difficulties
Super Intelligence, Strong and Weak AI
Fact: Programs won over humans
„a system‘s ability to interpret external data correctly, to
learn from such data, and to use those learnings to
achieve specific goals and tasks through flexible
adaptation“(Kaplan/Haenlein 2018)
Perception, Learning, Actions
Cf. Höchtl 2019
50. Danube University Krems. University for Continuing Education.
June 2019 | Page 54
www.donau-uni.ac.at
Autonomous System
„Autonomous“ System – Ethical concerns
Criteria for what constitutes an autonomous System?
Where to draw the line?
Goal-orientation, autonomy, ability to learn, ability to react (Wiebe 2002)
Deciding and implementing decisions without external control (EP 2017)
Pursuing and changing own goals (Teubner 2018)
Non-determination (Kirn/Müller-Hengstenberg 2014)
„Self-regulation“: Application of the learned to a new situation in an
adapted form (Dumitrescu et al. 2018)
Example: softwareagents/bots
Pursue their user‘s goals
„a program that acts independently on behalf of its user (…)“ (Vulkan 1999)
Cf. Höchtl 2019
51. Danube University Krems. University for Continuing Education.
June 2019 | Page 55
www.donau-uni.ac.at
Autonomous acting in the user‘s interest
requires knowing the user‘s preferences
Source Picture : https://pixabay.com/de/checkliste-2313804/ CC0 Creative Commons Freie
kommerzielle Nutzung; Kein Bildnachweis nötig
52. Danube University Krems. University for Continuing Education.
June 2019 | Page 56
www.donau-uni.ac.at
Examples for the use of a software agent
being within the scope of GDPR
Data the user provides to the bot
Additional data the bot can potentially collect
Type of data* Relation to a person
Data about the Device (smartphone, notebook):
- IP-address, serial number
- battery, error logs, internet connection, brand
Conclusions concerning location, financial background,
values
Information linked to the use:
- Typing
- Personalised aspects (background picture, alarm
time, apps, stored data)
- Sensor data
Conclusions concerning mood, preferences
*Based on the categories of data in context of autonomous driving identified by Klink/Straub/Straub 2018
Cf. Höchtl 2019
53. Danube University Krems. University for Continuing Education.
June 2019 | Page 57
www.donau-uni.ac.at
AI as Controller?
Controller
Art 4 Z 7 GDPR: Decision on purpose and means of processing
Factual power to decide , not necessarily legally admissible (WP 29
Stellungnahme 1/2010)
Looking back: Autonomy is characterised through making decisions
and implementing them without external control (EP 2017)
Legal classification of AI?
The user uses AI as a tool to make his
declaration of intent. The user accepts
the result when approving the
parameters of the system. (Rabl 2017)
Use of a system marked as autonomous
system, representative with limited legal
capacity for conclusions of contracts
(Specht/Herold 2018)
No human consciousness – no formation
of a declaration of will– no legal
personhood
(Köbrich/Froitzheim 2017)
Liability of the AI itself or as vicarious
liability – If the robot can think
independently, then he can also act
culpably. (Kessler 2017)
Cf. Höchtl 2019
54. Danube University Krems. University for Continuing Education.
June 2019 | Page 58
www.donau-uni.ac.at
Responsibility – Control
Who controls AI?
User
Bot as processor?
Bot as tool
Person with kill-switch
Control of the running system?
Both bot and user
Shared Responsibility
Joint controllers (Art 26 GDPR)
Bot
System as controller
Legal capacity?
Too far-fetched? E.g. USA: AI as „driver“(Eisenberger et al. 2016)
Source Picture: https://pixabay.com/de/steuermann-steuerrad-kapit%C3%A4n-2789168/
Pixabay License Freie kommerzielle Nutzung Kein Bildnachweis nötigCf. Höchtl 2019
55. Danube University Krems. University for Continuing Education.
June 2019 | Page 59
www.donau-uni.ac.at
Data Subject‘s Rights
Information: Label bot as a bot?
Autonomous System as controller: Labelling obligation?
First answer or in advance of start of the conversation (general discussion on
labelling requirement e.g. Köbrich/Froitzheim 2017)
Lack of standards for implementation
Erasure: Removal from search index, overwrite, back-ups, especially
where interconnected systems are concerned
Technically, data is „deleted“ through highlighting it as deleted and
removing them from the search index (Villaronga/Kieseberg/Li 2018)
Data portability in cases of more than one data subject being affected
(Kamann/Braun in Ehmann/Selmayr (2017), Art 20 mn 31)
Cf. Höchtl 2019
56. Danube University Krems. University for Continuing Education.
June 2019 | Page 60
www.donau-uni.ac.at
Danube University Krems. University for Continuing Education.
Agenda
I. Introduction
II. GDPR – Basic overview
a. Data protection role
concept
b. General data protection
principles
III. Decision making and Art
22 GDPR
IV. Discussion of the GDPRs
impact on concrete cases:
a. Research Project
SmartGov - Smart
Governance
b. Autonomous systems
V. Quiz & Discussion
57. Danube University Krems. University for Continuing Education.
June 2019 | Page 61
www.donau-uni.ac.at
V. Quiz (1/2)
What does the GDPR aim at?
– Support data economy & enhance trust
What is personal data?
– Link to an individual (natural) person
What is purpose limitation?
– Data shall be used for no purpose other than the one
the data was collected for (exceptions e.g. research)
05.07.2019
58. Danube University Krems. University for Continuing Education.
June 2019 | Page 62
www.donau-uni.ac.at
Quiz (2/2)
What is a data protection impact assessment?
– Necessary when certain conditions are met
– Description of the processing, risk and mitigation
measures
If someone asks you about legal challenges of
autonomous systems, what will you answer?
– Obligations – control: Who controls an autonomous
system?
05.07.2019
59. Danube University Krems. University for Continuing Education.
June 2019 | Page 63
www.donau-uni.ac.at
Discussion
What should be the criteria for autonomous
systems, which they should apply when balancing
different legal assets against each other? (Kessler 2017)
How can an uninfluenced development of
humans as goal of the use of autonomous
systems be reached and how can the law provide
guidance for the system with regard to what is
„the good“? (Europ. Gruppe für Ethik der Naturwissenschaften und der Neuen Technologien für EK 2018)
05.07.2019
60. Danube University Krems. University for Continuing Education.
June 2019 | Page 64
www.donau-uni.ac.at
Danube University Krems.
University for Continuing Education.
Questions?
Mag. Bettina Höchtl
bettina.hoechtl@donau-uni.ac.at
http://www.donau-uni.ac.at/ega
Dr.-Karl-Dorrek-Straße 30
3500 Krems
Austria
Thank you
for your attention!
61. Danube University Krems. University for Continuing Education.
June 2019 | Page 65
www.donau-uni.ac.at
Further Reading
GDPR, multilingual display and documents related to the GDPR
https://eur-lex.europa.eu/legal-
content/EN/TXT/?uri=celex%3A32016R0679
European Data Protection Board‘s (https://edpb.europa.eu/) endorsement
of the WP 29‘s guidelines
https://edpb.europa.eu/sites/edpb/files/files/news/endorsement_of_wp2
9_documents_en_0.pdf
Hoepman (2014), Privacy Design Strategies in ICT Systems Security and
Privacy Protection (SEC), Marrakesh, Morocco, Springer, 446-459.
05.07.2019
62. Danube University Krems. University for Continuing Education.
June 2019 | Page 66
www.donau-uni.ac.at
Selected References
Mandinach, E. B. (2012), A Perfect Time for Data Use: Using Data-Driven Decision Making to Inform Practice, Educational Psychologist Vol. 47, Issue 2, 71-85.
WP 29 (2018), Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679
Feiler, L. and Forgó, N. (2017), EU-DSGVO, Verlag Österreich
Isaacs, M. L. (2003), Data-Driven Decision Making: The Engine of Accountability, Professional School Counseling, Vol. 6, No. 4, Special Issue: Carreer Development and
the changing workplace, 288-295.
Mc Afee, A. and Brynjolfsson, E. (2012), Big Data: The Management Revolution, Harvard Business Review, 3-9.
WP 29 (2017), Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is „likely to result in a high risk“ for the purposes of
Regulation 2016/679
Kaplan, A. and Haenlein, M. (2019), Siri, Siri, in my hand: Who’s the fairest in the land? On the interpretations, illustrations, and implications of artificial intelligence,
Business Horizons, Vol. 62, Issue 1, January-February 2019, 15-25.
Wiebe, A. (2002), Die elektronische Willenserklärung, J.C.B. Mohr (Paul Siebeck), Tübingen.
Kirn and Müller-Hengstenberg, Intelligente (Software-)Agenten: Von der Automatisierung zur Autonomie? Verselbständigung technischer Systeme, MMR 2014, 225
(229).
Dumitrescu et al. (2018), Studie „Autonome Systeme“, Studien zum deutschen Innovationssystem, No. 13-2018, Expertenkommission Forschung und Innovation (EFI),
Berlin.
Vulkan (1999), The Economic Journal 109 (February), USA, F 67-F90 (F86).
Eisenberger, Gruber, Huber, Lachmayer, Automatisiertes Fahren Komplexe regulatorische Herausforderungen, ZVR 2016/158, 383.
Höchtl (2018) Making Economic Use of Data and Protecting Individuals from Full Transparency: An Opposing Pair? Medien und Recht International,
2018 (vol. 15), Heft 2/18: 74-76.
Höchtl (2019) in Schweighofer/Kummer, Saarenpää (eds.), Internet of Things, Proceedings of the 22nd International Legal Informatics Symposium IRIS
2019, Datenschutzrechtliche Implikationen autonomer Systeme, 169-176.
Köbrich and Froitzheim, Lass uns quatschen – Werbliche Kommunikation mit Chatbots, WRP 10/2017, 1188.
Villaronga/Kieseberg/Li 2018), Humans forget, machines remember: Artificial intelligence and the Right to Be Forgotten, Computer Law & Security Review 34, Elsevier,
(2018) 304-313, S. 309-313.
Ehmann/Selmayr 2017, DS-GVO, C.H.BECK LexisNexis, München
05.07.2019
63. Danube University Krems. University for Continuing Education.
June 2019 | Page 89
www.donau-uni.ac.at
Exercises
Pick an issue
Structure & Process
Discussion
Supervisor
Deadline
05.07.2019