1. The European Law on the processing of persona data
In Europe, the protection of natural persons in relation to the processing of personal data is a fundamental right. In fact, the Article 8 of the Charter of Fundamental Rights of the European Union (the Charter) is related to the protection of natural persons in relation to the processing of personal data. Furthermore, the Charter considers also the respect for private and family life as a crucial aspect of privacy.
Moreover, the Treaty on the Functioning of the European Union (TFEU) considers the right to the protection of personal data. This is the general legal framework, and the protection of personal data is under the Directive the Directive 95/46/EC. Nevertheless, in 2016 has been published the European Regulation num- ber 679/2016 that entered into force on 25 May 2016, but it shall apply from 25 May 2018.3 According to the Article 94, this Regulation will repeal the Directive 95/46/EC with effects from 25 May 2018. Therefore, the Directive 95/46/CE will be applicable till 25 May 2018.
The GDPR obviously mentions the Charter of Fundamental Rights of the European Union in the first Whereas. The primary goal is to harmonise the legislation of each Member State: the GDPR will be directly applicable in each European State, avoiding possible confusion among the domestic law. The GDPR introduces numerous changes, such as the Data Protection Impact Assessment (DPIA), the Data Protection by Design and by Default (DPbDbD), the data breach notification, the Data Protection Officer (DPO), the very high administrative fines in respect of infringements of the Regulation, and so on.
Regarding the protection of personal data, apart from the before mentioned GDPR, there is also the Directive 2002/58/EC4 concerning the processing of personal data and the protection of privacy in the electronic communications. In fact, according to the Article 95 of the GDPR there is a relationship with this Directive.
The Directive 2002/58/CE has the aim to ”to ensure an equivalent level of protection of fundamental rights and freedoms, and in particular the right to privacy, with respect to the processing of personal data in the electronic communication sector and to ensure the free movement of such data and of electronic communication equipment and services in the Community”.
In this legal panorama, it is clear that technology and law are not at the same level because the first one (technology) is always ahead than the second one (law). The actions on the part of the legislator always followed the technological solutions, and so the rules have to be able to consider the technology evolution.
Despite it might seem that it takes a long time to 25 May 2018, it is crucial to analyse now the GDPR to be ready and comply with the new data protection Regulation. In fact, the General Data Protection Regulation (GDPR) represents an innovative data protection law framework, because of several purposes on which is based.
2. Robotics and data protection
The relationship among robotics, Artificial Intelligence (AI), Machine Learning (ML), data protection and privacy has been receiving specific attention in the last times. These topics have been addressed in 2016 at the 38th International Conference of Data Protection and Privacy Commissioners, carrying out a ”Room document” titled ”Artificial Intelligence, Robotics, Privacy and Data Protection”. Recently, the Information Commissioner’s Office (ICO) carried out a discussion paper titled ”Big data, artificial intelligence, machine learning and data protection”.
The most important topics related to data protection and privacy are Big Data, Internet of Things (IoT), Liability and Ethics.
The Big Data topic is also related to the Internet of Things (IoT) phenomenon that makes to spring several applications in different sectors (Personal, Home, Vehicles, Enterprise, Industrial Internet).6 The IoT is a continuously evolving system that can be considered as an ecosystem. The fields of Big Data and Blockchain are, really, the main emerging phenomena in the IoT ecosystem, but people paid attention more to the technical and security issues than the privacy and protection of personal data ones. Certainly, the security aspects are relevant to avoid or reduce the risks for data privacy. However, we cannot dismiss the right approach, according to the GDPR’s principles.
The IoT ecosystem allows developing several applications for different sectors such as, in the last few years, the ”smart” one. In fact, we talk about smart city, smart grid, smart car, smart home, etc. In each of this field are developing applications that consent to interact objects among themselves, transferring information real time, processing Big Data.
From a technical point of view, these applications have to be developed guaranteeing a high-security level to avoid any alteration. As the technology develops, the attacks on the systems grow as well. However, we cannot dismiss the several threats on these systems. The IoT concept is broad, and it can also concern critical infrastructure: what about on this crucial point? It is clear that the technological evolution is a value, but at the same time, it is important to prevent any fraud attempt both using high-security measures, privacy and protection of personal solutions.
2.1 Big Data and Data Protection
Big Data has been defined by Gartnerj as follows:
Big Data is high- volume, high-velocity and/or high-variety information assets that demand cost-effective, innovative forms of information processing that enable enhanced insight, decision making, and process automation.
Thus, Big Data is a phenomenon that consists of the fast and exponential data growth and data traffic, requires data analysis and data mining procedures. Hence, it implies big data values (it is well-known the Four Vs of Big Data: Volume, Velocity, Variety and Veracity – IBM8) but consider- ing data as a value it is possible to extend the approach to Five V, last V as value). It is very simple to develop applications either, by having access to data, can execute data mining activities with every imaginable consequence. In this context, the main goal is to protect personal data because of their highest value.
Nowadays we are witnessing growing interest in fast Internet evolution and now, more and more often, we are hearing about Big Data, Artificial Intelligence (AI) and Machine Learning (ML). What about? Indeed, AI and ML are two different topics but strictly related between them.
The main topic is the rational agent that is is “one that acts so as to achieve the best outcome or, when there is uncertainty, the best expected outcome” .
Furthermore, according to Tom M. Mitchell
Machine Learning is a natural outgrowth of the intersection of Computer Science and Statistics Whereas Computer Science has focused primarily on how to manually program computers, Machine Learning focuses on the question of how to get computers to program themselves (from experience plus some initial structure). Whereas Statistics has focused primarily on what conclusions can be inferred from data, Machine Learning incorporates additional questions about what computational architectures and algorithms can be used to most effectively capture, store, index, retrieve and merge these data, how multiple learning subtasks can be orchestrated in a larger system, and questions of computational tractability.
Having said this, it is certainly clear that these topics concern the computer science area. However, as the insiders will certainly agree, it is amazing the distorted context existing on the web about AI, because is enough to read the articles and contributes that are on the Internet to have an idea such phenomenon. Searching on the web, it is possible to find a lot of resources about AI, like if it represents the discover of the century. By this way it might seem that the Artificial Intelligence (AI) is a current discovery, even the 2017 news. Indeed, this is a very restrictive approach to describe and present the topic, because who deals with the computer science really knows that it is not sol. Hence, due to the technological progress and especially to the societal evolution, AI and machine learning have been viewed as innovative resources for the future developing.
Generally speaking, data is collected, stored and used: what about the processing of personal data? From a legal perspective it is mandatory to comply with the GDPR principles according to the Article 5 and specifically: Awfulness, fairness and transparency (5.1a), Purpose limitation (5.1b), Data minimisation (5.1c), Accuracy (5.1d), Storage limitation (5.1e), Integrity and confidentiality (5.1f), Accountability (5.2).
Moreover, we cannot dismiss the ”data subject’s consent” (Article 7) and security (Article 32).
Someone11 argues, despite the before mentioned principles, that the GDPR is incompatible with Big Data and there is the needing to implement it.
2.2. Ethics, Data Protection and Privacy
Data collected and used implies also an ethical approach to Robotics, Arti- ficial Intelligence, Big Data and IoT ecosystem. Generally speaking ethics could appear an unimportant topic but, instead, it is a very important aspect, especially talking about data protection and privacy.
The European Data Protection Supervisor (EDPS) carried out the Opinion 4/2015.12 In this Opinion the EDPS, talking about Big Data, high- lighted the tracking online activity.
On the same point is the ICO in the before mentioned discussion paper5 where there are specific statements to Ethics.
In Europe, it possible to address any matters related to Ethics and Robotics (included Big Data, AI, IoT, ML) through the GDPR. Outside Europe, instead, because of the lack of international ethical standard, the matter should be addressed through policies or other contractual solution.
The interest about Ethics is growing so much that industries and pub- lic bodies are paying attention to this topic with policies and initiatives to highlight how to address the ethical dimension correctly. This scenario demonstrates that Ethics is an emerging profile related to Big Data, data protection and privacy and the awareness about it. To raise the awareness on Ethics is undoubtedly a significant step towards the right approach.
The GDPR proposes (Article 32) some security solutions to protect personal data and manage the risks. Apart from the possible solutions (inter alia, pseudonymisation and encryption of personal data), the ethical focal point is to protect personal data guaranteeing the dignity of each natural person. In Europe, as the EDPS clarified, it does not exists a legal protection for dignity as a fundamental right, but it shall be derived from the data protection legal framework and specifically from the GDPR. It needs an ethical approach, not only theorised and developed by Public Bodies (such as the European Ethics Advisory Board) but mainly practised by the private sector. The principles provided for in Article 5 of the GDPR are the primary references for Ethics, but we cannot dismiss the other rules of the same Regulation. The risk management requires the necessary referring to the GDPR’s rules.
Hence, one ethical aspect is transparency, considering data protection and privacy as a value and not as a mere cost. Industries and organisations, often, seem to have a wrong approach to privacy and data protection, evaluating them only as a cost. Data protection and privacy are, indeed, ”processes” and their assessment to comply with the law is the right way to address them.
The data subject must be in the centre of the data processing, considering him/her rights and the power to control his/her personal data. The main matter, thus, is that individuals must have the full control of their personal data. Some ethical issues emerge from the use of personal data by industries or organisations. It would be desirable to consider a business ethics approach to process personal data correctly, according to the GDPR (or, in general, the laws). It is evident that some ethical rules can be provided by the law, but in certain cases, they might result in policies or agreements.
We know that the GDPR concerns the protection of personal data in Europe and one issue is related to the processing outside Europe. The GDPR jurisdiction could be a limit for any business from or outside Europe; in this case, can supply policies or agreements as said.
2.3. Data Protection by Design and by Default
Apart from the reference to the GDPR principles as shown, there is an- other fundamental key provided for Article 25 that is Data Protection by Design and by Default (DPbDbD) and specifically, the paragraph 1 is re- lated to the Data Protection by Design, whereas the Data Protection by Default in paragraph 2. In October 2010, the 32nd International Conference of Data Protection and Privacy Commissioners adopted a resolution on Privacy by Design (PbD)13 that is a landmark and represents a turn- ing point for the future of privacy. This Resolution proposes the following seven foundational principles: Proactive not Reactive; Preventative not Remedial, Privacy as the default, Privacy Embedded into De- sign, Full Functionality: Positive-sum, not Zero-sum, End-to-end Lifecycle protection, Visibility and transparency, Respect for user privacy.
The main goal is to draw up two concepts: a) data protection and b) user. To develop an effective data protection and privacy approach, we must start any process with the user the person who has to be protected putting him or her at the center. This means that during the design process, the organization always has to be thinking of how it will protect the users privacy. By making the user the starting point in developing any project (or process), we realize a PbD approach.
The European Data Protection Supervisor (EDPS) has promoted PbD, touting the concept in its March 2010 Opinion of the European Data Protection Supervisor on Promoting Trust in the Information Society by Foster- ing Data Protection and Privacy.15 It was not long after this endorsement that the 32nd International Conference of Data Protection and Privacy Commissioners adopted the PbD concept as well.
In the EU Regulation 679/2016 this approach became ”Data Protection by Design and by Default” (DPbDabD). Between ”Privacy by Design” (PbD) and ”Data Protection by Design and by Default” there are differences in term of methodological approach, but the main goal is to highlight how it needs to start from the user in any privacy project.
According to the Article 25, hence, it is possible to address each project correctly, applying these rules.