AI ADAPT PROTECT

There is a growing awareness worldwide that the personal data of users of online information services are not adequately protected. Companies harvest and utilise personal data on a massive scale, including browser behaviour, social media messages, and content on personal websites. Concerns about the collection, use and leakage of personal data have become more pronounced since the rise of “big data”, i.e. very large data sets gathered from mobile devices, bio-sensors, cameras, GPS trackers and social media. These data are analysed using increasingly sophisticated machine learning techniques to deliver new insights and predictions about an individual’s behaviour and also feed increasingly personalised AI-driven interactive digital experiences. The rate of technological innovation, now accelerated by big data and machine learning techniques, invariably outpaces public policy debate and the development of new regulation for the protection of personal data. This comes as the scale and social impact of data analysis is rapidly increasing. Individuals and groups are poorly placed to consider the impact of use of their personal information, especially when this use also delivers attractive personalised digital services. At the same time, tech companies, especially SMEs, lack the knowledge and expertise needed to address the complex legal and ethical implications of collecting and analysing personal data. ESRs will develop new ways of empowering users of digital services to understand the risks they take with their rights and interests when they go online and offer new ways to enable developers to incorporate privacy, data protection and broader ethical considerations into the development of digital services, even as they are face growing commercial and competitive demands to exploit personal data.

PROTECT Network on AI Data Governance led by Trinity College Dublin and the SFI ADAPT Centre, is a unique multidisciplinary, cross academic-industry and international European Training Network (ETN), made up of five institutions in Ireland, Belgium, Netherlands and Spain, funded under the EU’s Marie Skłodowska-Curie Actions to train a new generation of 14 Early Stage Researchers (ESRs) as PhD graduates.

The project investigates methods to protect the rights and interests of individuals impacted by the continuous large-scale analysis of personal data, while still enabling the economy and society to benefit from rapid innovation in digital applications that use this data and thereby underpin the Digital Single Market.

ESRs will receive training to enable them to integrate and apply arguments, analyses and tools from across the fields of law, technology ethics and knowledge engineering, so that they can excel in research and data science careers within digital services industry and public policy sectors to address problems of data protection, data ethics and data governance.

Objectives:
Develop a set of standard form privacy policies consistent with GDPR requirements, to reduce the effort that service providers need to annotate and enforce policies and users need to select digital service offerings matching their preferences;

Validate the consistency of machine-readable renderings of standard form policies against human readable and legal codification versions and the completeness of that rendering in compliance technical platform;

Assess the ethical impact of proposed standard form policies against shifting user expectations.

Expected Results:
Input to the design of standard forms developed for privacy paradigm policies based on assessing their accessibility and usefulness to users and data controllers who will use them day-to-day. Provision of a set of digital service use cases for use in assessing different forms of privacy policy in service selection and usage scenarios, for different user demographics, e.g. by age, gender, income. Results in a repeatable methodology for assessing privacy policy notification that integrates probes for usability assessments with assessing legal sufficiency of the policy.

The project will deliver a systematic ethical assessment of the diversity of privacy issues that are associated with the collection and storage of various personal information by websites. The ethical assessment will focus on similarities and differences in the privacy expectations regarding different types of personal information (from browser behaviour to video selfies), modes of collecting and storage them, and purposes for which they are or could be used. This will be based in part on consultations of stakeholders and their values and preferences regarding privacy, as well as responsible innovation, such as open source and gender issues. This will provide an analysis of the proper division of labour between privacy policies and technological protections offered by the Privacy Paradigm approach.

Individuals cannot cope with the high number of privacy consent terms they have to agree with as Internet users. Currently, there are no tools and services supporting the management of these documents, and the user lacks the means to effectively track to which consent has been given and for which purposes. This situation may be improved if consent forms and privacy terms were represented in an explicit data vocabulary that can be automatically processed and is capable of being reasoned over to assist with data protection compliance and risk assessments.