With just days before implementation of the European Union’s General Data Protection Regulation (GDPR), discussions around compliance with the new privacy regulation are intensifying. Ironically, the more “clarity” we receive from European bodies seeking to provide guidance on the regulation, the opaque our understanding of the GDPR becomes.
This is especially true when considering one of the GDPR’s articles related to machine learning apps. Recently, the European Union’s (EU’s) Article 29 Data Protection Working Party (WP29) issued a response to the Internet Corporation for Assigned Names and Numbers (ICANN), a non-profit that is the sole administrator of the internet’s domain name system. In their letter, WP29 stated outright that ICANN’s interim GDPR compliance plan for the WHOIS database, which houses all the information for domain name owners, was insufficient. Though this letter brought bad news for ICANN’s WHOIS database, we believe the WP29 letter also poses significant implications for machine-learning-enabled apps.
As a quick refresher, the GDPR is the EU’s new data privacy regulation that is set to go into effect on May 25, 2018. The regulation will have far-reaching implications for every small business, corporation, or individual that handles the data of EU persons and will require companies and their contractors to comply with strict rules to ensure the protection of consumer data. You can learn more about the GDPR by reading our guide. Following the guidelines put forth by the GDPR, WP29 suggested the text of ICANN’s interim compliance plan was too broad when describing its “legitimate purpose” for the personal data ICANN collects and would violate Article 5(1)(b) of the GDPR. This article requires data collectors to comprehensively and exhaustively inform the data subject of all the legitimate purposes for collecting their personal data.
For a regulation that threatens penalties as high as € 20 million or 4 percent of global revenue, non-compliance poses great risks. WP29 believes ICANN’s model does not sufficiently comply with the GDPR’s Article 5(1)(b) because ICANN uses the term “including” in its privacy terms. To WP29, the term “include” suggests there are additional uses of the data that ICANN does not disclose to the data subject. In other words, WP29 concludes that by virtue of using the gerund “including” in their privacy statement when describing their “legitimate purpose” for collected personal data, ICANN would violate Article 5 of the GDPR.
But what does this have to do with machine learning? As it turns out, the two are very connected.
Machine learning uses statistical algorithms to enable a program or machine to learn new functions in near real-time. For this reason, GDPR compliance under the standard articulated by WP29 would be challenging for app developers who use machine learning in their products. For many machine learning apps, the ultimate use of personal data is not always clear at the time of collection. As such, it is nearly impossible for an app developer to initially describe their legitimate purpose for collecting data to satisfy WP29’s interpretation of Article 5. Based on this standard, app companies that use machine learning will have a hard time complying with Article 5’s comprehensive and exhaustive requirement without needing to obtain a data subject’s consent every time the machine learns something new. Alternatively, a company would be required to outline every possible current and future use of that data. Both options are untenable, especially for a growing small businesses.
Though the letter is directed to ICANN, WP29 does not state that their advice is limited to ICANN’s model. The broad application of this guidance, without additional clarity, could potentially stifle the innovative functions of machine learning apps or dissuade companies from offering machine learning solutions in the EU for fear of receiving a hefty GDPR fine.
This conundrum is challenging because of the unparalleled and unrealized societal benefits machine learning promises to bring. For example, machine learning has the ability to help autonomous vehicles better detect pedestrians in crosswalks or healthcare providers utilize precision medicine, and it has contributed to the rapid growth and success of the app economy and internet of things (IoT) revolution. We do not want a regulation intended to protect consumer data to stifle the innovations that bring broad consumer benefit. As we approach the GDPR’s implementation, it is imperative that WP29 clarify its description of Article 5 in its letter to ICANN and consider its implications for future machine learning innovations. The global app economy depends on it.