The DAPRECO knowledge base is the main outcome of the interdisciplinary project bearing the same name. It is a repository of rules written in LegalRuleML, an XML formalism designed to be a standard for representing the semantic and logical content of legal documents. The rules represent the provisions of the General Data Protection Regulation, the new Regulation that is significantly affecting the digital market in the European Union and beyond. The DAPRECO knowledge base builds upon the Privacy Ontology, which provides (...) a model for the legal concepts involved in the GDPR, by adding a further layer of constraints in the form of if-then rules, referring either to standard first order logic implications or to deontic statements. If-then rules are formalized in reified Input/Output logic and then codified in LegalRuleML. Reified Input/Output logic is an application of standard Input/Output logic for legal reasoning, in which Input/Output logic is combined with the reification-based approach in Hobbs and Gordon. The DAPRECO knowledge base is then a case study for reified Input/Output logic, and it shows that the formalism indeed appears to be a good candidate to effectively formalize, via uniform and simple representations, complex linguistic/deontic phenomena that may be found in legal texts. To date, the DAPRECO knowledge base is the biggest knowledge base in LegalRuleML and Input/Output logic freely available online. (shrink)

Broad consent – the act of gaining one consent for multiple potential future research projects – sits at the core of much current genomic research practice. Since the 25th May 2018, the General Data Protection Regulation (GDPR) has applied as valid law concerning genomic research in the EU and now occupies a dominant position in the legal landscape. Yet, the position of the GDPR concerning broad consent has recently been cause for concern in the genomic research community. Whilst (...) the text of the GDPR apparently supports the practice, recent jurisprudence contains language which is decidedly less positive. This article takes an in-depth look at the situation concerning broad consent under the GDPR and – despite the understandable concern flowing from recent jurisprudence – offers a positive outlook. This positive outlook is argued from three perspectives, each of which is significant in defining the current, and ongoing, legitimacy and utility of broad consent under the GDPR: the principled, the legal technical, and the practical. (shrink)

Scientific research is indispensable inter alia in order to treat harmful diseases, address societal challenges and foster economic innovation. Such research is not the domain of a single type of organization but can be conducted by a range of different entities in both the public and private sectors. Given that the use of personal data may be indispensable for many forms of research, the data protection framework will play an important role in determining not only what types of research may (...) occur but also which types of actors may carry it out. This article looks at the role the EU’s General Data Regulation plays in determining which types of actors can conduct research with personal data. In doing so it focuses on the various legal bases that are available and attempts to discern whether the GDPR can be said to favour research in either the public or private domains. As this article explains, the picture is nuanced, with either type of research actor enjoying advantages and disadvantages in specific contexts. (shrink)

Risk management is a well-known method to face technological challenges through a win–win combination of protective and proactive approaches, fostering the collaboration of operators, researchers, regulators, and industries for the exploitation of new markets. In the field of autonomous and unmanned aerial systems, or UAS, a considerable amount of work has been devoted to risk analysis, the generation of ground risk maps, and ground risk assessment by estimating the fatality rate. The paper aims to expand this approach with a tool (...) for managing data protection risks raised by drones through the design of flight maps. The tool should allow UAS operators choosing the best air corridor for their drones based on the so-called privacy by design principle pursuant to Article 25 of the EU data protection regulation, the GDPR. Among the manifold applications of this approach, the design of fly zones for drones can be tailored for public authorities in the phase of authorization of new operations, much as for national Data Protection authorities that have to control the lawfulness of personal data processing by UAS operations. The overall aim is to present the first win–win approach to data protection issues, aerospace engineering challenges, and risk management methods for the threats posed by this technology. (shrink)

Risk management is a well-known method to face technological challenges through a win–win combination of protective and proactive approaches, fostering the collaboration of operators, researchers, regulators, and industries for the exploitation of new markets. In the field of autonomous and unmanned aerial systems, or UAS, a considerable amount of work has been devoted to risk analysis, the generation of ground risk maps, and ground risk assessment by estimating the fatality rate. The paper aims to expand this approach with a tool (...) for managing data protection risks raised by drones through the design of flight maps. The tool should allow UAS operators choosing the best air corridor for their drones based on the so-called privacy by design principle pursuant to Article 25 of the EU data protection regulation, the GDPR. Among the manifold applications of this approach, the design of fly zones for drones can be tailored for public authorities in the phase of authorization of new operations, much as for national Data Protection authorities that have to control the lawfulness of personal data processing by UAS operations. The overall aim is to present the first win–win approach to data protection issues, aerospace engineering challenges, and risk management methods for the threats posed by this technology. (shrink)

Risk management is a well-known method to face technological challenges through a win–win combination of protective and proactive approaches, fostering the collaboration of operators, researchers, regulators, and industries for the exploitation of new markets. In the field of autonomous and unmanned aerial systems, or UAS, a considerable amount of work has been devoted to risk analysis, the generation of ground risk maps, and ground risk assessment by estimating the fatality rate. The paper aims to expand this approach with a tool (...) for managing data protection risks raised by drones through the design of flight maps. The tool should allow UAS operators choosing the best air corridor for their drones based on the so-called privacy by design principle pursuant to Article 25 of the EU data protection regulation, the GDPR. Among the manifold applications of this approach, the design of fly zones for drones can be tailored for public authorities in the phase of authorization of new operations, much as for national Data Protection authorities that have to control the lawfulness of personal data processing by UAS operations. The overall aim is to present the first win–win approach to data protection issues, aerospace engineering challenges, and risk management methods for the threats posed by this technology. (shrink)

The General Data Protection Regulation (GDPR) of the EU confirms the protection of personal data as a fundamental human right and affords data subjects more control over the way their personal information is processed, shared, and analyzed. However, where data are processed by artificial intelligence (AI) algorithms, asserting control and providing adequate explanations is a challenge. Due to massive increases in computing power and big data processing, modern AI algorithms are too complex and opaque to be understood by most (...) data subjects. Articles 15 and 22 of the GDPR provide a modest regulatory framework for automated data processing by, among other things, mandating that data controllers inform data subjects about when it is being used, and its logic and ramifications. Nevertheless, due to the phrasing of the articles and the numerous exceptions they allow, doubts have arisen about their effectiveness. In this paper, we empirically evaluate the quality and effectiveness of AI disclosures as mandated by the GDPR. By means of an online survey (N = 835), we investigated how data subjects expect to be informed about the automated processing of their data. We then conducted a content analysis of the AI disclosures of N = 100 companies and organizations. The combined findings reveal that current GDPR-mandated disclosures do not meet the expectations and needs of data subjects. Explanations drawn up following the guidelines of the generic formulations of the GDPR differ widely and are often vague, incomplete and lack transparency. In our conclusions we identify a path towards standardizing and optimizing AI information notices. (shrink)

It is argued that GDPR suffer from a practical problem of click-through consents, which developers of web browsers should resolve.

Organized immaturity refers to the capacity of widely institutionalized sociotechnical systems to challenge qualities of human enlightenment, autonomy, and self-determination. In the context of surveillance capitalism, where these qualities are continuously put at risk, data transparency is increasingly proposed as a means of restoring human maturity by allowing individuals insight and choice vis-à-vis corporate data processing. In this article, however, I draw on research on General Data Protection Regulation–mandated data transparency practices to argue that transparency—while potentially fostering maturity—itself risks producing (...) new forms of organized immaturity by facilitating user ignorance, manipulation, and loss of control of personal data. Considering data transparency’s relative “successes” and “failures” regarding the cultivation of maturity, I outline a set of possible remedies while arguing for a general need to develop more sophisticated ethical appreciations of transparency’s complex and potentially problematic implications for organized (im)maturity in the digital age. (shrink)

In this article, we consider the possible application of the European General Data Protection Regulation to “citizen scientist”-led health research with mobile devices. We argue that the GDPR likely does cover this activity, depending on the specific context and the territorial scope. Remaining open questions that result from our analysis lead us to call for lex specialis that would provide greater clarity and certainty regarding the processing of health data by for research purposes, including these non-traditional researchers.

BackgroundPrevious studies have indicated that failure to report ethical approval is common in health science articles. In social sciences, the occurrence is unknown. The Swedish Ethics Review Act requests that sensitive personal data, in accordance with the EU General Data Protection Regulation (GDPR), should undergo independent ethical review, irrespective of academic discipline. We have explored the adherence to this regulation. MethodsUsing the Web of Science databases, we reviewed 600 consecutive articles from three domains (health sciences with and without somatic (...) focus and social sciences) based on identifiable personal data published in 2020. ResultsInformation on ethical review was lacking in 12 of 200 health science articles with somatic focus (6%), 21 of 200 health science articles with non-somatic focus (11%), and in 54 of 200 social science articles (27%; p < 0.001 vs. both groups of health science articles). Failure to report on ethical approval was more common in (a) observational than in interventional studies (p < 0.01), (b) articles with only 1–2 authors (p < 0.001) and (c) health science articles from universities without a medical school (p < 0.001). There was no significant association between journal impact factor and failure to report ethical approval.ConclusionsWe conclude that reporting of research ethics approval is reasonably good, but not strict, in health science articles. Failure to report ethical approval is about three times more frequent in social sciences compared to health sciences. Improved adherence seems needed particularly in observational studies, in articles with few authors and in social science research. (shrink)

In 2016, the European Parliament approved the General Data Protection Regulation (GDPR) whose core aim is the safeguarding of information privacy, and, by corollary, human dignity. Drawing on the field of philosophical anthropology, this paper analyses various interpretations of human dignity and human exceptionalism. It concludes that privacy is essential for humans to flourish and enable individuals to build a sense of self and the world.

Recital 33 GDPR has often been interpreted as referring to ‘broad consent’. This version of informed consent was intended to allow data subjects to provide their consent for certain areas of research, or parts of research projects, conditional to the research being in line with ‘recognised ethical standards’. In this article, we argue that broad consent is applicable in the emerging field of Computational Social Science (CSS), which lies at the intersection of data science and social science. However, the (...) lack of recognised ethical standards specific to CSS poses a practical barrier to the use of broad consent in this field and other fields that lack recognised ethical standards. Upon examining existing research ethics standards in social science and data science, we argue that they are insufficient for CSS. We further contend that the fragmentation of European Union (EU) law and research ethics sources makes it challenging to establish universally recognised ethical standards for scientific research. As a result, CSS researchers and other researchers in emerging fields that lack recognised ethical standards are left without sufficient guidance on the use of broad consent as provided for in the GDPR. We conclude that responsible EU bodies should provide additional guidance to facilitate the use of broad consent in CSS research. (shrink)

The growing importance of researching online activities, such as cyber-deviance and cyber-crime, as well as the use of online tools (e.g. questionnaires, games, and other interactive tools) has created new ethical and legal challenges for researchers, which can be even more complicated when researching adolescents. In this article, we highlight the risks emerging from the current European legal and ethical landscape when researching potentially vulnerable groups, with a special focus on online research. It is not always clear how to differentiate (...) research ethics consent from consent for data processing activities: when can an adolescent independently consent to research, or when is parental consent needed? Additional problems emerge when parents do not consent to research activities, but their adolescent children do. A serious ethical challenge can arise when the parents do not communicate with researchers, but the adolescent wishes to participate, especially when weak parental oversight is coupled with research on sensitive topics. We offer some guidance on what to keep in mind when conducting online research with adolescents and highlight possible ways that these issues can be dealt with in pan-European projects. (shrink)

The aim of the article is to explain the relationship between the ethical evaluation of scientific research involving personal data and the assessment of compliance with data protection law. The article presents the mutual relationship between the protection of personal data and scientific activity from a dogmatic perspective, the legal regulation of the processing of personal data in scientific research, and the so-called research exceptions that apply when data are processed for scientific research. It also covers the importance of meeting (...) the ethical requirements of scientific research in order to profit from the indicated exceptions. Finally, it provides a comparison between the ethical and the legal systems of personal data protection in research (objectives, criteria, authorities, and procedures). (shrink)

In this chapter I identify three problems affecting the plausibility of group privacy and argue in favour of their resolution. The first problem concerns the nature of the groups in question. I shall argue that groups are neither discovered nor invented, but designed by the level of abstraction (LoA) at which a specific analysis of a social system is developed. Their design is therefore justified insofar as the purpose, guiding the choice of the LoA, is justified. This should remove the (...) objection that groups cannot have a right to privacy because groups are mere artefacts (there are no groups, only individuals) or that, even if there are groups, it is too difficult to deal with them. The second problem concerns the possibility of attributing rights to groups. I shall argue that the same logic of attribution of a right to individuals may be used to attribute a right to a group, provided one modifies the LoA and now treats the whole group itself as an individual. This should remove the objection that, even if groups exist and are manageable, they cannot be treated as holders of rights. The third problem concerns the possibility of attributing a right to privacy to groups. I shall argue that sometimes it is the group and only the group, not its members, that is correctly identified as the correct holder of a right to privacy. This should remove the objection that privacy, as a group right, is a right held not by a group as a group but rather by the group’s members severally. The solutions of the three problems supports the thesis that an interpretation of privacy in terms of a protection of the information that constitutes an individual—both in terms of a single person and in terms of a group—is better suited than other interpretations to make sense of group privacy. (shrink)

Open science has recently gained traction as establishment institutions have come on-side and thrown their weight behind the movement and initiatives aimed at creation of information commons. At the same time, the movement's traditional insistence on unrestricted dissemination and reuse of all information of scientific value has been challenged by the movement to strengthen protection of personal data. This article assesses tensions between open science and data protection, with a focus on the GDPR.

Since approval of the EU General Data Protection Regulation (GDPR) in 2016, it has been widely and repeatedly claimed that the GDPR will legally mandate a ‘right to explanation’ of all decisions made by automated or artificially intelligent algorithmic systems. This right to explanation is viewed as an ideal mechanism to enhance the accountability and transparency of automated decision-making. However, there are several reasons to doubt both the legal existence and the feasibility of such a right. In contrast (...) to the right to explanation of specific automated decisions claimed elsewhere, the GDPR only mandates that data subjects receive meaningful, but properly limited, information (Articles 13-15) about the logic involved, as well as the significance and the envisaged consequences of automated decision-making systems, what we term a ‘right to be informed’. Further, the ambiguity and limited scope of the ‘right not to be subject to automated decision-making’ contained in Article 22 (from which the alleged ‘right to explanation’ stems) raises questions over the protection actually afforded to data subjects. These problems show that the GDPR lacks precise language as well as explicit and well-defined rights and safeguards against automated decision-making, and therefore runs the risk of being toothless. We propose a number of legislative and policy steps that, if taken, may improve the transparency and accountability of automated decision-making when the GDPR comes into force in 2018. (shrink)

The first few years of the 21st century were characterised by a progressive loss of privacy. Two phenomena converged to give rise to the data economy: the realisation that data trails from users interacting with technology could be used to develop personalised advertising, and a concern for security that led authorities to use such personal data for the purposes of intelligence and policing. In contrast to the early days of the data economy and internet surveillance, the last few years have (...) witnessed a rising concern for privacy. As bad data practices have come to light, citizens are starting to understand the real cost of using online digital technologies. Two events stamped 2018 as a landmark year for privacy: the Cambridge Analytica scandal, and the implementation of the European Union’s General Data Protection Regulation (GDPR). The former showed the extent to which personal data has been shared without data subjects’ knowledge and consent and many times for unacceptable purposes, such as swaying elections. The latter inaugurated the beginning of robust data protection regulation in the digital age. Getting privacy right is one of the biggest challenges of this new decade of the 21st century. The past year has shown that there is still much work to be done on privacy to tame the darkest aspects of the data economy. As data scandals continue to emerge, questions abound as to how to interpret and enforce regulation, how to design new and better laws, how to complement regulation with better ethics, and how to find technical solutions to data problems. The aim of the research project Data, Privacy, and the Individual is to contribute to a better understanding of the ethics of privacy and of differential privacy. The outcomes of the project are seven research papers on privacy, a survey, and this final report, which summarises each research paper, and goes on to offer a set of reflections and recommendations to implement best practices regarding privacy. (shrink)

:This article considers recent ethical topics relating to medical AI. After a general discussion of recent medical AI innovations, and a more analytic look at related ethical issues such as data privacy, physician dependency on poorly understood AI helpware, bias in data used to create algorithms post-GDPR, and changes to the patient–physician relationship, the article examines the issue of so-called robot doctors. Whereas the so-called democratization of healthcare due to health wearables and increased access to medical information might suggest (...) a positive shift in the patient-physician relationship, the physician’s ‘need to care’ might be irreplaceable, and robot healthcare workers might be seen as contributing to dehumanized healthcare practices. (shrink)

The General Data Protection Regulation (GDPR) was introduced in 2018 to harmonize data privacy and security laws across the European Union (EU). It applies to any organization collecting personal data in the EU. To date, service-level consent has been used as a proportionate approach for clinical trials, which implement low-risk, routine, service-wide interventions for which individual consent is considered inappropriate. In the context of public health research, GDPR now requires that individuals have the option to choose whether their (...) data may be used for research, which presents a challenge when consent has been given by the clinical service and not by individual service users. We report here on development of a pragmatic opt-out solution to this consent paradox in the context of a partner notification intervention trial in sexual health clinics in the UK. Our approach supports the individual’s right to withhold their data from trial analysis while routinely offering the same care to all patients. (shrink)

This paper explores some key discrepancies between two sets of normative requirements applicable to the research use of personal data and human biological materials: the data protection regime which follows the application of the European Union General Data Protection Regulation, and the Declaration of Helsinki, CIOMS guidelines and other research ethics regulations. One source of this controversy is that the GDPR requires consent to process personal data to be clear, concise, specific and granular, freely given and revocable and therefore (...) has challenged the concept of ‘broad consent’, which has been widely applied in the context of biobanking. Another source of controversy is the interplay between regulations of research ethics and protection of personal data related to the secondary use of personal data and biological materials. In this case, the GDPR ‘research condition’ provides an alternative to re-consent for the use of previously collected personal data and biological materials. Although the mentioned controversies have been raised in the legal literature, they have not been explicitly addressed from the research ethics perspective. Should consent be regarded as a priority legal basis for personal data processing in health data research? Can broad consent still be a suitable legal ground for biobanking? What should be the role of research ethics provisions that differ from the GDPR standards, and what should be the role and function of research ethics committees in the changing environment of health data research? These are the ongoing controversies to be explored in the paper. (shrink)

IntroductionThe idea of video recording in the operating room with panoramic cameras and microphones is a new concept that is changing the approach to medical activities in the OR. However, VR in the OR has brought up many concerns regarding patient privacy and has highlighted legal and ethical issues that were never previously exposed.AimTo review the literature concerning these aspects and provide a better ethical and legal understanding of the new challenges concerning VR in the OR.ConclusionsThere is a disparity between (...) the two main legal models concerning VR in the OR, namely the European legal system ) and the American legal framework ). This difference mainly deals with two distinct bioethical paradigms: GDPR places a strong emphasis on protecting patients’ privacy to improve the public health system, whereas HIPAA indicates the need to generate protocols to safeguard the risks connected to medical activity and patient privacy. Following from this point, we may argue that, at the ethical and bioethical level, GDPR and HIPAA depend mainly on two different ethical models: a perspective based on moral acquaintances and weak proceduralism, respectively. It is worth noting the importance of developing additional guidelines concerning different world regions to avoid the ethical problems that may emerge when simply applying a foreign paradigm to a very different culture. (shrink)

The EDPS Ethics Advisory Group (EAG) has carried out its work against the backdrop of two significant social-political moments: a growing interest in ethical issues, both in the public and in the private spheres and the imminent entry into force of the General Data Protection Regulation (GDPR) in May 2018. For some, this may nourish a perception that the work of the EAG represents a challenge to data protection professionals, particularly to lawyers in the field, as well as to (...) companies struggling to adapt their processes and routines to the requirements of the GDPR. What is the purpose of a report on digital ethics, if the GDPR already provides all regulatory requirements to protect European citizens with regard to the processing of their personal data? Does the existence of this EAG mean that a new normative ethics of data protection will be expected to fill regulatory gaps in data protection law with more flexible, and thus less easily enforceable ethical rules? Does the work of the EAG signal a weakening of the foundation of legal doctrine, such as the rule of law, the theory of justice, or the fundamental values supporting human rights, and a strengthening of a more cultural approach to data protection? Not at all. The reflections of the EAG contained in this report are not intended as the continuation of policy by other means. It neither supersedes nor supplements the law or the work of legal practitioners. Its aims and means are different. On the one hand, the report seeks to map and analyse current and future paradigm shifts which are characterised by a general shift from analogue experience of human life to a digital one. On the other hand, and in light of this shift, it seeks to re-evaluate our understanding of the fundamental values most crucial to the well-being of people, those taken for granted in a data-driven society and those most at risk. The objective of this report is thus not to generate definitive answers, nor to articulate new norms for present and future digital societies but to identify and describe the most crucial questions for the urgent conversation to come. This requires a conversation between legislators and data protection experts, but also society at large - because the issues identified in this report concern us all, not only as citizens but also as individuals. They concern us in our daily lives, whether at home or at work and there isn’t a place we could travel to where they would cease to concern us as members of the human species. (shrink)

Algorithmic decision-making based on profiling may significantly affect people’s destinies. As a rule, however, explanations for such decisions are lacking. What are the chances for a “right to explanation” to be realized soon? After an exploration of the regulatory efforts that are currently pushing for such a right it is concluded that, at the moment, the GDPR stands out as the main force to be reckoned with. In cases of profiling, data subjects are granted the right to receive meaningful (...) information about the functionality of the system in use; for fully automated profiling decisions even an explanation has to be given. However, the trade secrets and intellectual property rights (IPRs) involved must be respected as well. These conflicting rights must be balanced against each other; what will be the outcome? Looking back to 1995, when a similar kind of balancing had been decreed in Europe concerning the right of access (DPD), Wachter et al. (2017) find that according to judicial opinion only generalities of the algorithm had to be disclosed, not specific details. This hardly augurs well for a future right of access let alone to explanation. Thereupon the landscape of IPRs for machine learning (ML) is analysed. Spurred by new USPTO guidelines that clarify when inventions are eligible to be patented, the number of patent applications in the US related to ML in general, and to “predictive analytics” in particular, has soared since 2010—and Europe has followed. I conjecture that in such a climate of intensified protection of intellectual property, companies may legitimately claim that the more their application combines several ML assets that, in addition, are useful in multiple sectors, the more value is at stake when confronted with a call for explanation by data subjects. Consequently, the right to explanation may be severely crippled. (shrink)

The paper focuses on concerns and legal challenges brought on by the use of algorithms. A particular class of algorithms that augment or replace analysis and decision-making by humans, i.e. data analytics and machine learning, is under scrutiny. Taking into account Balkin’s work on “the laws of an algorithmic society”, attention is drawn to obligations of transparency, matters of due process, and accountability. This US-centric analysis on drawbacks and loopholes of current legal systems is complemented with the analysis of norms (...) and principles of the EU data protection law, or “GDPR”. The aim is twofold. On the one hand, the intent is to shed light on some crucial differences between the US and EU law on the regulation of algorithmic operators, both public and private. Whereas, in the USA, scholars debate whether and to what extent new duties and responsibilities of algorithmic operators, e.g. information fiduciaries, have to amend the current framework of self-regulation and light government—as shown by the White House’s Office of Science and Technology Policy report from November 2016—in EU law much of the new duties and responsibilities of algorithmic operators have been passed upon them as data controllers. Whether such approaches will successfully tackle the normative challenges of the algorithmic society is, on the other hand, an open issue that will likely represent the main topic of debate over the next years. Disagreement may concern: the terms framing the legal question in e.g. statistical purposes of the data processing; how such terms are related to each other in legal reasoning ; and legal hard cases that will increasingly have to do with the principles that are at stake also but not only in data protection. By entrusting such legal hard cases to algorithms, or some sort of smart artificial agent, humans still bear full responsibility for the judgment of what is socially, ethically, and legally “plain” and “hard” in social affairs. The balance between delegation of decisions to algorithms and non-delegation will be the leitmotiv of the algorithmic society. Since the devil is in the detail, the current paper is devoted to some of them. (shrink)

Developments in medical big data analytics may bring societal benefits but are also challenging privacy and other ethical values. At the same time, an overly restrictive data protection regime can form a serious threat to valuable observational studies. Discussions about whether data privacy or data solidarity should be the foundational value of research policies, have remained unresolved. We add to this debate with an empirically informed ethical analysis. First, experiences with the implementation of the General Data Protection Regulation (GDPR) (...) within a European research consortium demonstrate a gap between the aims of the regulation and its effects in practice. Namely, strictly formalised data protection requirements may cause routinisation among researchers instead of substantive ethical reflection, and may crowd out trust between actors in the health data research ecosystem; while harmonisation across Europe and data sharing between countries is hampered by different interpretations of the law, which partly stem from different views about ethical values. Then, building on these observations, we use theory to argue that the concept of trust provides an escape from the privacy-solidarity debate. Lastly, the paper details three aspects of trust that can help to create a responsible research environment and to mitigate the encountered challenges: trust as multi-agent concept; trust as a rational and democratic value; and trust as method for priority setting. Mutual cooperation in research—among researchers and with data subjects—is grounded in trust, which should be more explicitly recognised in the governance of health data research. (shrink)

In May 2021, the UK National Health Service (NHS) proposed a scheme—called General Practice Data for Planning Research (GPDPR)—for sharing patients’ data. Under that system, a patient who does not wish to participate must actively opt out of their data being shared with third parties for research and other purposes. In this paper, we analyse the lessons that can be learned for the responsible and ethical governance of health data from the NHS’ new scheme. More specifically, we explore the extent (...) to which the opt-out within the planned scheme complies with the requirements stemming from the General Data Protection Regulation (GDPR), particularly in relation to the principles of lawfulness and transparency. We then evaluate, from an ethical perspective, this opt-out ‘nudge’ and whether it is sufficiently resistible, reversible, and has appropriate goals. In light of the above, we then propose improvements for the scheme’s legal and ethical acceptability. (shrink)

The aim of this workshop was to ask potential end-users of the citizens’ information pack on legal and ethical issues around ICTs the following questions: What is your knowledge of the EU’s General Data Protection Regulation, and what actions have you taken in response to these regulations? What challenges are you experiencing in ensuring the protection and security of your project data, and compliance with the GDPR, within existing data management processes/systems? What information/tools/resources do you need to overcome these (...) challenges? What are the best formats/channels for receiving, sharing and acting upon this information? What is the most appropriate structure/format for the citizens’ information pack? (shrink)

Period-tracking software applications or ‘menstruapps’ have witnessed a surge in popularity in recent years. At the same time, many of them are a part of the adtech industry, using business models that create revenue by selling users’ personal and intimate data. This exploratory article brings menstruapps into a feminist legal debate. It investigates the supranational European legal standards on intimate and sensitive data processing, particularly the General Data Protection Regulation. Scrutinising explicit consent according to GDPR Article 9, this paper, (...) through empirical examples, claims that current legal standards are not enforced. The standards are, furthermore, theoretically insufficient to fully safeguard data subjects’ integrity and autonomy. Instead of abandoning the concept, the article reimagines consent, using a contextual and communicative model where power relations are taken into consideration, building on the feminist concept of freedom to negotiate. (shrink)

This edited collection brings together a series of interdisciplinary contributions in the field of Information Technology Law. The topics addressed in this book cover a wide range of theoretical and practical legal issues that have been created by cutting-edge Internet technologies, primarily Big Data, the Internet of Things, and Cloud computing. Consideration is also given to more recent technological breakthroughs that are now used to assist, and - at times - substitute for, human work, such as automation, robots, sensors, and (...) algorithms. The chapters presented in this edition address these issues from the perspective of different legal backgrounds. The first part of the book discusses some of the shortcomings that have prompted legislators to carry out reforms with regard to privacy, data protection, and data security. Notably, some of the complexities and salient points with regard to the new European General Data Protection Regulation (EU GDPR) and the new amendments to the Japan's Personal Information Protection Act (PIPA) have been scrutinized. The second part looks at the vital role of Internet intermediaries (or brokers) for the proper functioning of the globalized electronic market and innovation technologies in general. The third part examines an electronic approach to evidence with an evaluation of how these technologies affect civil and criminal investigations. The authors also explore issues that have emerged in e-commerce, such as Bitcoin and its blockchain network effects. The book aims to explain, systemize and solve some of the lingering legal questions created by the disruptive technological change that characterizes the early twenty-first century. (shrink)

Purpose This paper aims to provide a brief overview of the ethical challenges facing researchers engaging with web archival materials and demonstrates a framework and method for conducting research with historical web data created by young people. Design/methodology/approach This paper’s methodology is informed by the conceptual framing of data materials in research on the “right to be forgotten” (Crossen-White, 2015; GDPR, 2018; Tsesis, 2014), data afterlives (Agostinho, 2019; Stevenson and Gehl, 2019; Sutherland, 2017), indigenous data sovereignty and governance (Wemigwans, (...) 2018) and feminist ethics of care (Cifor et al., 2019; Cowan, 2020; Franzke et al., 2020; Luka and Millette, 2018). It demonstrates a new method called an archive promenade, which builds on the walkthrough and scroll-back methods (Light et al., 2018; Robards and Lincoln, 2017). Findings The archive promenades demonstrate how individual attachments to digital traces vary and are often unpredictable, which necessitates further steps to ensure that privacy and data sovereignty are maintained through research with web archives. Originality/value This paper demonstrates how the archive promenade methodological intervention can lead to better practices of care with sensitive web materials and brings together previous work on ethical fabrications (Markham, 2012), speculation (Luka and Millette, 2018) and thick context (Marzullo et al., 2018), to yield new insights for research on the experiences of growing up online. (shrink)

Purpose Employees may feel overwhelmed with information privacy choices and have difficulties understanding what they are committing to in the digital workplace. This paper aims to analyze the role of different thinking styles for effort reduction, such as the use of intuition, when employees make decisions about the credibility and trustworthiness of workplace information privacy issues in Slovakia. While the General Data Protection Regulation sets precise requirements for valid consent, organizations are classified as data controllers and are subject to credibility (...) judgments by their employees. Design/methodology/approach Data was collected from 230 employees in Slovakia using a survey questionnaire. Quantitative analysis using SPSS was conducted to describe employees thinking preferences when judging the credibility of information privacy in their organizations. Findings The survey participants revealed their perceived credibility and trust in personal data protection and thinking preferences. Unconscious thinking is the type of effort reduction often reported by participants, who perceive high credibility and trust in personal data protection. This study can help managers and data controllers in small- and medium-sized enterprises in reflecting about the way in which people use different thinking processes for decision-making about information privacy in their organizations. Research limitations/implications This study set out to explore how decision-making processes at the workplace relate to credibility of data practices. Focusing on the use of different types of intuition, the authors explored whether the preference for a specific decision-making style can explain the perceived credibility of data practices. The part of the workforce in the sample did not have a strict predisposition to use either intuitive or rational thinking. Practical implications The contribution provides scholars with an overview of the field of intuition, a field that is likely to grow given the challenges of digitalization for organizations, such as shitstorms, cyberattacks and whistleblowing. Originality/value The most well-known concepts from intuition research, e.g. the dual process theory, and practice are tested simultaneously, therewith contributing to the applied literature on domain-specific preferences for intuition and deliberation in decision-making. (shrink)

To create fair and accountable AI and robotics, we need precise regulation and better methods to certify, explain, and audit inscrutable systems.

ABSTRACT: One important criticism of algorithmic systems is that they lack transparency. Such systems can be opaque because they are complex, protected by patent or trade secret, or deliberately obscure. In the EU, there is a debate about whether the General Data Protection Regulation (GDPR) contains a “right to explanation,” and if so what such a right entails. Our task in this chapter is to address this informational component of algorithmic systems. We argue that information access is integral for (...) respecting autonomy, and transparency policies should be tailored to advance autonomy. -/- To make this argument we distinguish two facets of agency (i.e., capacity to act). The first is practical agency, or the ability to act effectively according to one’s values. The second is what we call cognitive agency, which is the ability to exercise what Pamela Hieronymi calls “evaluative control” (i.e., the ability to control our affective states, such as beliefs, desires, and attitudes). We argue that respecting autonomy requires providing persons sufficient information to exercise evaluative control and properly interpret the world and one’s place in it. We draw this distinction out by considering algorithmic systems used in background checks, and we apply the view to key cases involving risk assessment in criminal justice decisions and K-12 teacher evaluation. -/- The link below is to an open access version of the chapter. (shrink)

In previous works (Floridi 2018) I introduced the distinction between hard ethics (which may broadly be described as what is morally right and wrong independently of whether something is legal or illegal), and soft or post-compliance ethics (which focuses on what ought to be done over and above existing legislation). This paper analyses the applicability of soft ethics to the General Data Protection Regulation and advances the theory that soft ethics has a dual advantage—as both an opportunity strategy and a (...) risk management solution. (shrink)

Around the world, private and public organizations use software called legal expert systems to compute taxes. This software must comply with the laws they are designed to implement. As such, a bug or an error in a program that leads to tax miscalculations can have heavy legal and democratic consequences. However, increasing evidence suggests that some legal expert systems may not comply with the law. Moreover, traditional software development processes mean that legal expert systems are difficult to adapt to the (...) continuous flow of new legislation. To prevent further software decay and to reconcile these systems with the growing demand for algorithmic transparency, we argue that there is a need for a new development process for legal expert systems. This new system must be built to comply with the law, in particular the GDPR. It must also respect democratic transparency. For these reasons, we present a solution built by lawyers and computer scientists: C atala, a new programming language coupled with a pair programming development process. (shrink)

Businesses increasingly rely on algorithms that are data-trained sets of decision rules (i.e., the output of the processes often called “machine learning”) and implement decisions with little or no human intermediation. In this article, we provide a philosophical foundation for the claim that algorithmic decision-making gives rise to a “right to explanation.” It is often said that, in the digital era, informed consent is dead. This negative view originates from a rigid understanding that presumes informed consent is a static and (...) complete transaction. Such a view is insufficient, especially when data are used in a secondary, noncontextual, and unpredictable manner—which is the inescapable nature of advanced artificial intelligence systems. We submit that an alternative view of informed consent—as an assurance of trust for incomplete transactions—allows for an understanding of why the rationale of informed consent already entails a right to ex post explanation. (shrink)

In various official documents, the European Union has declared its goal to pursue a citizen-centric governance of digital transformation. Through a critical review of several of these documents, here we show how “citizen-centric” is more a glamouring than a driving concept. De facto, the EU is enabling a federated data system that is corporate-driven, economic-oriented, and GDPR-compliant; in other words, a Digital Single Market (DSM). This leaves out societal and collective-level dimensions of digital transformation—such as social inclusion, digital sovereignty, (...) and environmental sustainability—which are acknowledged, but not operationalized, by the EU as pillars of a citizen-centric governance. Hence, the door is open to a complementary approach to the governance of digital transformation. We argue that, while a federated data model can constitute the tech-legal backbone of the emerging DSM, a commoning of data, as an ecosystemic approach that maintains a societal and collective outlook by default, can represent a complement to enact a truly citizen-centric governance. (shrink)

ICTs, personal data, digital rights, the GDPR, data privacy, online security… these terms, and the concepts behind them, are increasingly common in our lives. Some of us may be familiar with them, but others are less aware of the growing role of ICTs and data in our lives - and the potential risks this creates. These risks are even more pronounced for vulnerable groups in society. People can be vulnerable in different, often overlapping, ways, which place them at a (...) disadvantage to the majority of citizens; Table 3 in this guide presents some of the many forms and causes of vulnerability. As a result, vulnerable people need greater support to navigate the digital world, and to ensure that they are able to exercise their rights. This guide explains where such support can be found, and also answers the following questions: - What are the main ethical and legal issues around ICTs for vulnerable citizens? - Who is vulnerable in Europe? - How do issues around ICTs affect vulnerable people in particular? This guide is a resource for members of vulnerable groups, people who work with vulnerable groups, and citizens more broadly. It is also useful for data controllers1 who collect data about vulnerable citizens. While focused on citizens in Europe, it may be of interest to people in other parts of the world. It forms part of the Citizens’ Information Pack produced by the PANELFIT project, and is available in English, French, German, Italian and Spanish. You are welcome to translate this guide into other languages. Please send us a link to online versions in other languages, so that we can add them to the project website. (shrink)

Is privacy the key ethical issue of the internet age? This coauthored essay argues that even if all of a user’s privacy concerns were met through secure communication and computation, there are still ethical problems with personalized information systems. Our objective is to show how computer-mediated life generates what Ernesto Laclou and Chantal Mouffe call an “atypical form of social struggle”. Laclau and Mouffe develop a politics of contingent identity and transient articulation (or social integration) by means of the notions (...) of absent, symbolic, hegemonic power and antagonistic transitions or relations. In this essay, we introduce a critical approach to one twenty-first-century atypical social struggle that, we claim, has a disproportionate effect on those who experience themselves as powerless. Our aim is to render explicit the forms of social mediation and distortion that result from large-scale machine learning as applied to personal preference information. We thus bracket privacy in order to defend some aspects of the EU GDPR that will give individuals more control over their experience of the internet if they want to use it and, thereby, decrease the unwanted epistemic effects of the internet. Our study is thus a micropolitics in in the Deleuzian micropolitical sense and a preliminary analysis of an atypical social struggle. [Added note: the contract law specialist cited twice in this article (Jonathan R. Bruno) is a graduate of Harvard Law and is presently located at University of Michigan Law School (Ann Arbor) (not identical to the 'data scientist' of the same name that populates the first page of links brought up by a Google-search on this proper name.]. (shrink)

BackgroundData processing of health research databases often requires a Data Protection Impact Assessment to evaluate the severity of the risk and the appropriateness of measures taken to comply with the European Union General Data Protection Regulation. We aimed to define and apply a comprehensive method for the evaluation of privacy, data governance and ethics among research networks involved in the EU Project Bridge Health.MethodsComputerised survey among associated partners of main EU Consortia, using a targeted instrument designed by the principal investigator (...) and progressively refined in collaboration with an international advisory panel. Descriptive measures using the percentage of adoption of privacy, data governance and ethical principles as main endpoints were used for the analysis and interpretation of the results.ResultsA total of 15 centres provided relevant information on the processing of sensitive data from 10 European countries. Major areas of concern were noted for: data linkage, access and accuracy of personal data and anonymisation procedures. A high variability was noted in the application of privacy principles.ConclusionsA comprehensive methodology of Privacy and Ethics Impact and Performance Assessment was successfully applied at international level. The method can help implementing the GDPR and expanding the scope of Data Protection Impact Assessment, so that the public benefit of the secondary use of health data could be well balanced with the respect of personal privacy. (shrink)

Upon Brexit, the United Kingdom chose to follow the path of EU data protection and remain tied to the requirements of the General Data Protection Regulation (GDPR). It even enacted the GDPR into its domestic law. This Article evaluates five models relating to preference change, demonstrating how they identify different dimensions of Brexit while providing a rich explanation of why a legal system may or may not reject an established transnational legal order. While market forces and a “Brussels (...) Effect” played the most significant role in the decision of the UK government to accept the GDPR, important nonmarket factors were also present in this choice. This Article’s models of preference change are also useful in thinking about the likely extent of the UK’s future divergence from EU data protection. (shrink)

In the European Union, the General Data Protection Regulation (GDPR) provides comprehensive rules for the processing of personal data. In addition, the EU lawmaker intends to adopt specific rules to protect confidentiality of communications, in a separate ePrivacy Regulation. Some have argued that there is no need for such additional rules for communications confidentiality. This Article discusses the protection of the right to confidentiality of communications in Europe. We look at the right’s origins to assess the rationale for protecting (...) it. We also analyze how the right is currently protected under the European Convention on Human Rights and under EU law. We show that at its core the right to communications confidentiality protects three individual and collective values: privacy, freedom of expression, and trust in communication services. The right aims to ensure that individuals and organizations can safely entrust communication to service providers. Initially, the right protected only postal letters, but it has gradually developed into a strong safeguard for the protection of confidentiality of communications, regardless of the technology used. Hence, the right does not merely serve individual privacy interests, but also other more collective interests that are crucial for the functioning of our information society. We conclude that separate EU rules to protect communications confidentiality, next to the GDPR, are justified and necessary. (shrink)

Automating Humanity is the shocking and eye-opening new manifesto from international award-winning designer Joe Toscano that unravels and lays bare the power agendas of the world's greatest tech titans in plain language, and delivers a fair warning to policymakers, civilians, and industry professionals alike: we need a strategy for the future, and we need it now. Automating Humanity is an insider's perspective on everything Big Tech doesn't want the public to know--or think about--from the addictions installed on a global scale (...) to the profits being driven by fake news and disinformation, to the way they're manipulating the world for profit and using our data to train systems that will automate jobs at an explosive, unprecedented scale. Toscano provides a critique of modern regulation, including parts of the new European Union's General Data Proctection Regulation (GDPR) suggesting how we can create proactive, adaptable regulation that satisfies both the needs of consumer safety and commercial success in the international economy. The content touches on everything from technology, economics, and public policy to psychology, history, and ethics, and is written in a way that is accessible to everyone from the average reader to the technical expert. (shrink)

We design a framework for assisted normative reasoning based on Aristotelian diagrams and algorithmic graph theory which can be employed to address heterogeneous tasks of deductive reasoning. Here we focus on two problems of normative determination: we show that the algorithms used to address these problems are computationally efficient and their operations are traceable by humans. Finally, we discuss an application of our framework to a scenario regulated by the GDPR.

An increasing number of European research projects return, or plan to return, individual genomic research results (IRR) to participants. While data access is a data subject’s right under the General Data Protection Regulation (GDPR), and many legal and ethical guidelines allow or require participants to receive personal data generated in research, the practice of returning results is not straightforward and raises several practical and ethical issues. Existing guidelines focusing on return of IRR are mostly project-specific, only discuss which results (...) to return, or were developed outside Europe. To address this gap, we analysed existing normative documents identified online using inductive content analysis. We used this analysis to develop a checklist of steps to assist European researchers considering whether to return IRR to participants. We then sought feedback on the checklist from an interdisciplinary panel of European experts (clinicians, clinical researchers, population-based researchers, biobank managers, ethicists, lawyers and policy makers) to refine the checklist. The checklist outlines seven major components researchers should consider when determining whether, and how, to return results to adult research participants: 1) Decide which results to return; 2) Develop a plan for return of results; 3) Obtain participant informed consent; 4) Collect and analyse data; 5) Confirm results; 6) Disclose research results; 7) Follow-up and monitor. Our checklist provides a clear outline of the steps European researchers can follow to develop ethical and sustainable result return pathways within their own research projects. Further legal analysis is required to ensure this checklist complies with relevant domestic laws. (shrink)

This open access book presents an ethical approach to utilizing personal medical data. It features essays that combine academic argument with practical application of ethical principles. The contributors are experts in ethics and law. They address the challenges in the re-use of medical data of the deceased on a voluntary basis. This pioneering study looks at the many factors involved when individuals and organizations wish to share information for research, policy-making, and humanitarian purposes. -/- Today, it is easy to donate (...) blood or even organs, but it is virtually impossible to donate one’s own medical data. This is seen as ethically unacceptable. Yet, data donation can greatly benefit the welfare of our societies. This collection provides timely interdisciplinary research on biomedical big data. Topics include the ethics of data donation, the legal and regulatory challenges, and the current and future collaborations. -/- Readers will learn about the ethical and regulatory challenges associated with medical data donations. They will also better understand the special nature of using deceased data for research purposes with regard to ethical principles of autonomy, beneficence, and justice. In addition, the contributors identify the key governance issues of such a scheme. The essays also look at what we can learn in terms of best practice from existing medical data schemes. (shrink)