# Topic areas | Document | Description | | -------- | -------- | | [Report: Topic areas & Feedback interim plan feedback](https://drive.google.com/file/d/1iUBgx-xACf90W1u9TbxjlmztFnWHUhPc/view?usp=sharing) | Summary of the responses on topic areas and of the feedback on the interim collaboration plan | | [Mindmap 1 (simple)](https://drive.google.com/file/d/11wF0DYwnbzJKKDR_KtA8gbhRcNW2WS69/view?usp=sharing)| Visual representation of the topic areas in a **brief** overview | |[Mindmap 2 (detailed)](https://drive.google.com/file/d/1HI0Zacy1Q8S4M3iL15U7ishOVLIxdFku/view?usp=sharing)| Visual representation of the topic areas in a more **granular** overview | |[Mindmap 3 (full)](https://drive.google.com/file/d/1l9HnxfKEhhH7DoBiyiuWzo5g3pxxB8Xd/view?usp=sharing)| Visual representation of the topic areas in **full** details | |[Outline: Topic areas](https://hackmd.io/s/ryyNQMowL) | Text representation of the topic areas in hierarchical order (**this document**) | |[Form: Topic areas & Interim plan](https://forms.gle/EZxLCT1PFGnvXuub8) | Form on topic areas and feedback on the proposed interim virtual collaboration plan due to the COVID-19 developments (sent on 23 March 2020) | |[Responses: Topic areas & Interim plan](https://docs.google.com/spreadsheets/d/1C-aLW_V5av-LrU_OQ8m0K8SiDBd4Z65y4v_qYAQ49gQ/edit?usp=sharing) | Excel table with all form responses from working group members | ## What we have (existing regulation) ### Explore the full potential - GDPR - ePrivacy - Competition - Consumer protection ### Limitations - Definitions - The current regime applies to data "controllers" and "subjects". What happens if there is no readily identifiable controller? - Will fully automated systems / developed machine learning be covered by the existing regime? - Do we need develop concepts such as legal personalities? - Decentralised technologies - Local data processing on the devices of individuals - Personal data/non-personal data dichotomy - Exemptions - What is the impact on specific people and human rights – for example in relation to immigration, policing, and national security? - Concepts - Are some concepts already outmoded by the pace of change? ### Challenges - GDPR & new tech - AI & ADM - Is the GDPR enough to build on (eg via guidelines), is it just being poorly implemented, or is there a regulatory gap here? - Here the answer also can't be just that there's a "human in the loop", as we know from the thousands of moderators contracted by FB and other social networks, that creates a new set of problems and doesn't protect the interests of the user. - Biometric data - facial - Is the GDPR enough? - voice - How can this be used, donated, re-used, but also protected? - National implementation - Increased lobbying - Progressive regulation will be harder to achieve ### Gaps/missing elements - Lack of guidance - DPAs & EDPB lack expertise, independence, and resources to effectively enforce the rules ## What can we improve ### Accountability & scrutiny - How can we increase the scrutiny and accountability of systems beyond the individual? - Algorithmic Accountability frameworks - Evolve our ideas of accountability and responsibility (such as to cover the way AI is developed and regulations at the outset, such as limiting the use of new tools to their intended purpose) - New obligations for (dominant) platforms - Force them to share their commercial data and statistical models for the purpose of public good - Force them to set up open and fully functional APIs for both individual users and researchers, in order to facilitate access to data (and data portability) and connecting new services used for data managment - Force them to accept open protocols (such as "new" DNT signal sent by a browser) to communicate users' choices/decisions under the GDPR and other regulations (e.g. ePrivacy directive/regulation); this is an interesting way to redefine the whole "consent" debate and offer more meaningful, flexible tools of data management (independent from platforms' graphical interfaces) - Propose limitations on behavioural targeting that serve societal (not only individual) interests - Demand transparency and accountability of predictive models/algorithms that are used to influence users' decisions and behaviour (incl. ad optimisation algorithms and algorithms used to curate the newsfeed) - Assessing strategically significant market position beyond "market power" - Articulating a normative justification for such responsibility - Identifying tangible responsibilities ### Enforcement - What mechanisms might increase the enforcement of existing laws, or increase the practical capacity of regulators (both the traditional data ones and also ones protecting other rights and freedoms that are affected by data) to oversee complex systems? - DPAs & EDPB lack expertise, independence, and resources to effectively enforce the rules - Are most of the problems inherent in the current regime symptomatic of wider issues? - Is the lack of action by Supervisory Authorities due to a lack of resources or wider political realities? - Is the cost of litigation preventing enforcement and what mechanisms can be introduced to encourage legal action? - How can under-utilised enforcement mechanisms (including the potential for collective remedies and private enforcement) complement the work of regulators? - Oversight in secondary markets for personal data ### Compliance - How can we ensure companies cannot escape regulation through encryption or intellectual property? ### Redress - Alternative forms or approaches to redress ### Adoption/development of privacy friendly tech - How can European institutions become better at absorbing privacy-friendly technical developments? - How can European institutions set regulations that encourage development of privacy-friendly technical solutions? - What can be done by actors within or outside the European institutions when member state institutions punish or crack down on privacy-friendly solutions that counteract data protection values? - What public education and communications work needs to be done to make the GDPR more effective in empowering people to assert their data rights, and whether this should even operate at the individual level? ### Interoperability - Portability - Little used and of limited utility unless developed in practice - What are the specific problems that we are trying to solve with various measures that come under the umbrella of "interoperability"? - What are the necessary elements/building blocks of "interoperability" in practice? - What would be the implications of introducing these measures for users, social interest groups, regulators and new companies? [modelling exercise] ### Data sharing mandates ### Economic incentives - Regulation without thinking through the effects on incentives to invest, to enter markets, to share or block data access, etc, will have unintended and possibly counter-productive consequences - Concern that the legally-rooted privacy focus, which has framed the data debate, could result in far less investment in data and sharing of data for social benefit ### Coherence - Assessing whether, and if so how, coherence can be achieved between data protection law and policy and other elements of economic and industrial policy, including the application of competition law - Interplay between the GDPR and existing human rights law ## Current context ### Asymmetries of power/monopolies - data colonialism/imperialism - What are the ways in which colonial inequalities reproduce themselves within data governance? - Effects of large data centres based in northern Europe and the US in relation to the global south - How to build a ground up, bottom up, inclusive approach to data through local data centres, rather than relying on ‘big tech’? - Data localisation - data exploitation models ### AI & ADM - profiling - data aggregation - If some companies can do more with less data, doesn't this make data minimisation a red herring? - implication for privacy & data protection - In what ways do artificial intelligence applications challenge existing data protection regulation, and what are the lessons we can take forward into Algorithmic Accountability frameworks? ### Industrial data - increased use ### Surveillance - The impact of excessive surveillance on human privacy, agency and identity ### Geo-political shifts ### COVID-19 - Regulatory framework for the deployment of surveillance tech and data sharing in response to the Covid-19 pandemic - How will Covid-19 shape the future of data regulation and data politics? - Data privacy in time of pandemic - How has data been used during the Coronavirus crisis, and what is the potential of data to do good in these circumstances? - What is the impact of GDPR exemptions in the context of COVID-19? ### Brexit - How will data regulations change post-Brexit? ### Risks? - data quality - biases/bad decision - Are there any existing regulations, or should there be, about quality testing, or auditing data sets that are put through these decision making systems? - The dialogue today mostly focuses on algorithmic transparency, and having humans in the loop, but if the problem really is "garbage in, garbage out", perhaps a focus on the data used could produce better results - gender data gap - bad solutions - data ownership - Trends or developments which may impact on the existing regime ## Broader framing ### Personal data vs impact/harm - What should be the scope of future-looking data regulation (is personal data still the right threshold? Or should it hinge on impact (like with recent AIA Bills in the US); ### Individual vs Collective - Collective data rights - Understand what they are - How they can be implemented in practice - How they interplay with individual data rights - How they fit in to the history of privacy protections and what we can learn from that (given that privacy protections initially started with a more collectivist lens post war) - Societal consequences - Data protection regulations based on rights frameworks like the Charter protect individual rights, but it's clear that with mass collection, processing, and sharing, you don't have to give away your data to suffer societal consequences of abuse of data (eg Cambridge Analytica) - How to establish collective protections, understand collective harms, and devise mitigation strategies? - The answer can't just be "data trusts", because that may worsen the crisis of trust (who can we trust with that data? would they have the infrastructure to truly protect it?) - How can important, under-applied, principles such as fairness; data minimisation and purpose limitation be used to secure collective protection and systemic change to data processing operations? ### Industrial data policy - Understanding the trend of governments (EU, India, China) aggressively pursuing enabling AI/data policies that focus on increasing regional/national competitiveness through industrial data - How do these policies intersect (and potentially conflict) with privacy and rights frameworks? - How can we mitigate the dangers of a parallel legal regime for "industrial data"? ### Core ethical frameworks - How do trustworthy institutional/governance frameworks look like? - Do we mean independent state-funded bodies like Ofcom or ONS? Or a legal model for something like data trusts? Or a highly specified regulatory framework, GDPR+++? Or a statute setting out responsibilities but people can bring whatever business model they want? ### Effective communication - "post-GDPR" - Risk of undoing some of the advances for digital rights - "social value of data" - Risk that this value will be used to undermine civil liberties - "data stewardship" ## Where we want to be ### What are we regulating towards? ### What change do we want to see? ## Narratives ### Developing alternative narratives about data ### Metaphors and images for data and data transactions