by  Borys Omelayenko, CIPP/E

Privacy and Machine Learning: A Happy Marriage

clock-icon-white  4 min read

For decades, privacy and machine learning lived fairly separate lives. But with GDPR (General Data Protection Regulation) of the European Union in place, privacy and machine learning demand more unity.

Will it be a happy marriage? Let us examine its key components.

data-privacy-machine-learning

Defining Goals

GDPR mandates that companies processing personal data need to be specific and explicit about the goals of processing, and that processing is strictly necessary for achieving these goals.

For example, processing delivery orders is necessary for an online store, but applying analysis and machine learning to these orders to predict futu re purchases is not.

Under GDPR, companies are not allowed to be vague on declared goals, and are not allowed to bundle services that can be provided separately. This cuts off the possibility of either declaring a broad goal including machine learning, or bundling machine learning in with an order processing service.

To apply machine learning to personal data, this web shop needs to request a special permission from each customer, who is free to deny the request, or to withdraw any previously granted request.

From the privacy perspective, machine learning is often not necessary—at least not here and now—and needs permission to be in the room.

Where would regulators and courts draw the line? Is prediction necessary for a modern, competitive web shop? Or it is still an add-on to the order execution?

Personal Data Reuse

Machine learning, analytics, and data science have always been about exploring new ways of using data: gaining new insights, pursuing new goals. In terms of GDPR, this means reusing personal data collected for one declared purpose. Going outside of this single specified purpose is explicitly prohibited under GDPR.

Personal data reuse is illegal, making any gain obtained from reuse illegal as well.

Retention

Under GDPR companies are obliged to establish, communicate, document, and follow retention policies, routinely deleting data that is outdated, unnecessary, or upon request.

A web shop may eventually need to delete a customer’s order history, but it may keep the now-anonymous customer information classifying them as a “reader” for purchasing three books and magazines. It may eventually want redefine the “reader” category to include those who purchased only books and at least five, and to reclassify past clients. This may prove difficult without the order history available.

The whole field of machine learning evolved with the assump tion that the data is always there, and that a neural network can be retrained from scratch. This assumption is no longer valid.

Machine learning algorithms must be able to accommodate partial versions of old data, deal with snapshots, and even to evict parts of the network that contain personal data.

Profiling

The use of trained models is somewhat limited. Under GDPR, an individual can opt out from decisions made solely based on automatic means or that produce legal effects. This means that any significant decision made by a machine learning system needs to be piped through a human for those who decide to opt out.

Machine learning needs to consult privacy on any important decision making.

This hits a lot of machine learning-based business models that seek to eliminate human error.

National implementations of GDPR often make special provisions that allow governments to operate speed cameras and other similar systems, provisions that are not typically expanded to commercial entities.

But while the legal effect of traffic regulations is pretty clear, it is less clear in cases that have yet to be defined by regulators. The web shop may offer lots of products, and alter which products are displayed to a customer. This is applying machine learning to the customer’s past behavior and essentially highlighting only the most relevant choices. Is this a legal effect of machine learning, or just a reality of navigating overwhelming choice?

Erasing Data

Finally, GDPR grants each individual the right to be forgotten, demanding companies processing personal data to erase it. This, of course, is restricted by other rights and obligations. For example, an individual can’t get a bank loan and come back the next day asking the bank to “forget about it.”

A Happy Marriage

Like any happy marriage, the secret to privacy and machine learning’s union hinges on one thing: co mpromise. Machine learning is a key component of personalization, yet GDPR mandates that privacy protects the data of individuals. And so, satisfying both of these things demands balance.

GDPR keeps businesses in check while empowering the customer—keeping privacy intact while maintaining the level of personalization that consumers expect.

Interested in learning more about data privacy in the wake of GDPR? View our most recent case study, "Telecom Management Solutions Provider Achieves GDPR Compliance"

download PDF