Machine Learning and GDPR

Updated: Apr 13


Guidelines released by the European Union’s Data Protection Working Party in Article 29 under GDPR regarding their decision-making and profiling received mixed emotions from Machine Learning enthusiasts.


This is mainly because the provisions under this are broader compared to many other aspects of GDPR which might hurt companies that rely on machine learning in the long run.


Before we discuss this deeper and why this is a problem for companies, let us first define ’Machine Learning’.


It is a field of computer science that is related to computational statistics. It is the science of getting computers to act without being explicitly programmed. Some applications that can be appreciated for machine learning includes adaptive websites, bioinformatics, self-driving cars, practical speech recognition, effective web search, and a vastly improved understanding of the human genome.


Even before the existence of GDPR, machine learning was met with criticism particularly when it comes to ethics. These problems range from, humans losing their jobs all the way to people doubting the capabilities of robots to make trust-worthy decisions.

GDPR introduces regulation and has an article dedicated to automated-decision making and profiling. While this doesn’t necessarily forbid companies from machine learning, it does, however, limit what they can do if they are to remain compliant.


In Article 22 of GDPR which tackles automated decision-making, it states:

THE DATA SUBJECT SHALL HAVE THE RIGHT NOT TO BE SUBJECTED TO A DECISION BASED SOLELY ON AUTOMATED PROCESSING, INCLUDING PROFILING, WHICH PRODUCES LEGAL EFFECTS CONCERNING HIM OR HER OR SIMILARLY SIGNIFICANTLY AFFECTS HIM OR HER

The exemptions of this statement are stated on the same article and they occur when the processing:

(A) IS NECESSARY FOR ENTERING INTO, OR PERFORMANCE OF, A CONTRACT BETWEEN THE DATA SUBJECT AND A DATA CONTROLLER;

(B) IS AUTHORISED BY UNION OR MEMBER STATE LAW TO WHICH THE CONTROLLER IS SUBJECT AND WHICH ALSO LAYS DOWN SUITABLE MEASURES TO SAFEGUARD THE DATA SUBJECT’S RIGHTS AND FREEDOMS AND LEGITIMATE INTERESTS; OR

(C) IS BASED ON THE DATA SUBJECT’S EXPLICIT CONSENT.


In Article 13 of GDPR, subjects have the right to ask for an explanation behind the logic involved. To be specific, GDPR does not prohibit profiling. It, however, requires transparency of all the operations, the appropriate procedures of statistics and the accuracy of data. They also placed a strong emphasis to opt-out, which is a regulation that the GDPR insists in every area where consent is involved, not just in profiling.


This is not the case for the WP29.


While GDPR gives the right to opt-out, WP29, on the other hand, takes it up a notch by making it completely prohibited.


AS A RULE, THERE IS A PROHIBITION ON FULLY AUTOMATED INDIVIDUAL DECISION-MAKING, INCLUDING PROFILING THAT HAS A LEGAL OR SIMILARLY SIGNIFICANT EFFECT

This is a problem a major problem for business establishments that rely heavily on machine learning when it comes to promoting their products and/or services.


There are evidently unending worries about how these new guidelines brought upon by WP29 about suppressing machine learning from progressing further especially those who use it for research purposes.


First and foremost, GDPR is and will always be pro-rights of the data subjects. With that said, the provisions involving automated-decision making and profiling is created to protect this as per se. This would then mean that discrimination and invasion of privacy will occur less and collection of pointless data should be completely eliminated.


When you purchase an item online, sellers often ask their buyers to create an account and provide their credit card and delivery address. This isn’t necessarily a problem since these are valuable information for the transaction. IF you give permission to the seller to save your data for further processing then there is no problem with it. However, a lot of retailers have used this information to build a profile for their consumers based on the purchases they made.


Data collection and profiling, however, isn’t necessary for the performance of the contract which brings us to the role of GDPR – to put an end to this and reduce discrimination if not entirely wiped out.


Of course, with the benefits of profiling also come negatives. Profiling can lead to discrimination which in turn would give some consumers worse deals. One good example is how prices would vary depending on the location of the buyer.


Which brings us to the guidelines presented by WP29, scoring its customers based on their financial capability. These are used to offer deals and other financial services to these consumers which are bad for the data subjects.


Secondly, limiting storage would be another potential concern when it comes to machine learning. In Article 5 of GDPR, personal data should not be kept longer than necessary for the reasons for the processing of data. This is problematic for machine learning algorithms as they often process enormous volumes of data and build correlations. Because of this, an ample amount of time is required to provide better results from the algorithm. The implementation of the new provisions could get in the way of strong data for long periods of time thereby by tainting the proportionality considerations.


To sum up the foregoing, while WP29 may seem like a lot of work, it isn’t really meant to prevent researches with the help of machine learning as some people worried. Its main goal is to prevent discrimination and prevent unfair practices. Consent is still is a main player but transparency is also necessary when it comes to profiling or automated decision-making algorithms. Never forget to the rights of the data FIRST and respect the provisions of the GDPR and your company will be just fine.

Join our mailing list

© 2018 - 2020 GDPR Community Ltd

  • Facebook
  • Twitter
  • Instagram