Data Governance in a Data Hungry World
Europe continues to lead the UK and US on data regulations having voted last month to develop a new legal framework outlining “the ethical and legal obligations to be followed when developing, deploying and using artificial intelligence, robotics and related technologies… including software, algorithms and data”. The key guiding principles enshrined within a new regulatory framework include:
- Human-centric and human-made AI
- Safety
- Transparency and accountability
- Safeguards against bias and discrimination
- Right to redress
- Social and environmental responsibility and
- Respect for privacy and data
In addition to these principles, the EU Commission is also pushing for all high-risk AI technologies, such as “those with self-learning capabilities”, to be designed to allow for “human oversight at any time”. Legislation establishing a civil liability framework would make those operating high-risk AI strictly liable for any resulting damage. The EU Commission hopes that a “clear legal framework would stimulate innovation by providing businesses with legal certainty, whilst protecting citizens and promoting their trust in AI technologies”. The European Parliament’s work on AI is led by the Special Committee on Artificial Intelligence in a Digital Age, established in June of this year. Its mandate stresses its aims to develop a “holistic approach providing a common, long-term position that highlights the EU’s key values and objectives relating to artificial intelligence in the digital age”.
Earlier this year the Court of Justice of the European Union (CJEU) ruled that US tech companies could not move data from Europe to the US. Privacy Shield — a broad agreement and standard contractual clauses (SCCs) that are drawn up on an individual basis by each organisation — was ruled against and tech companies in the US must apply SCCs with data protection in mind and cannot store European data in the US if it can just as easily be retained and stored in the EU. What this means is that tech giants have lost the any legal basis for storing personal data in the US, where data protection laws are significantly less stringent than in Europe. For more information see here.
The EU are not alone in combatting data privacy breaches. The UK’s Information Commissioner’s Office has recently issued two significant fines to British Airways and Marriott Hotels. British Airways had initially faced a £183 million for breaching the privacy of over 400,000 customers personal data but was reduced to just £20 million in light of the impact of the Coronavirus pandemic on the airline industry. Marriott saw a data breach that may have affected up to 339 million of its guests and its initial fine was £100 million, reduced now to £18.4 million.
What is interesting about the Marriott case is that the company bought the data bases along with their takeover of Starwood, another hospitality company. Hackers had already infiltrated Starwood’s databases before Marriott acquired them. Marriott failed to check what it was purchasing, and their subsequent cyber-security improvements were too little too late — something the ICO pointed out in their review of the breach.
These are the first major fines issued by the ICO since GDPR first came into effect in May 2018.The fines demonstrate a substantial signpost in how the ICO seeks to ensure personal data is protected and managed properly by private companies — having previously pursued an ineffective policy of regulation and responsibility. The ICO, while lenient in their subsequent reductions of the initial fines, believe that the rulings will deter other companies from making the same mistakes.
While this maybe the case, other companies that have collected data from pubs and restaurants(as required by Coronavirus measures) have been selling it on to third parties, in breach of Government guidelines. Government documents state that information collected in relation to contact-tracing in pubs and restaurants should be kept by businesses for 21 days and must not be used for “any purpose other than for NHS test and trace”. This has occurred as companies contracted to provide systems such as QR code scanning when you enter a pub or restaurant have included in their privacy policy that the information they collect may be used for purposes other than NHS test-and-trace. As highlighted in last month’s policy blog, the Coronavirus pandemic has highlighted the need for Government to collect and use data better. This further demonstrates how valuable data is and the need for regulatory legislation to catch-up.
Similarly, the US is showing some signs of cracking down on tech giants — whether over personal data or antitrust issues. The U.S. Justice Department launched the most significant antitrust case to date against Google. The case argues that Alphabet Inc., Google’s parent company, is abusing its market power with its control of over 90% of the online search market in the US. Google is the “unchallenged gateway” to the internet and has perpetuated an environment of anticompetitive practices in their favour, locking our competition from rivals.US Attorney General William Barr argues that this monopoly will have a negative impact on future innovation. Texas Attorney General Ken Paxton is also preparing a complaint over Google’s conduct in the digital advertising market, where it controls technology used to buy and sell ads across the internet. Google has argued that the case against them is “deeply flawed” and told that investors that the case presents “limited risk”. For more information on the case, see here.
These events follow the Senate Commerce Committee issuing subpoenas to the heads of Twitter, Facebook, and Google to question them about their content policies. This may mark a strategic shift from US policy-makers, seeking to curb and manage tech giants through legal avenues and testimonies — much like unfolding trends in the EU and the UK.
This story was written by Policy Researcher Finn Mohrasri.
This story was written as part of a monthly policy update for Digital Bucket Company, leading Big data and AI consultancy. Finn Mohrasri explores the latest issues in the AI, Big Data and Cyber Security Industry.
