“Data portability”的意思、由来-开放百科全书

Data portability is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. closed platforms, thus subjecting them to vendor lock-in. Data portability requires common technical standards to facilitate the transfer from one data controller to another, thus promoting interoperability.

Data portability applies to personal data. It involves access to the personal data without implying data ownership per se.

At the global level there are proponents seeing the protection of digital data as a human right. Thus in an emerging civil society draft declaration one finds mention of the following concepts and statutes: Right to Privacy on the Internet, Right to Digital Data Protection, Rights to Consumer Protection on the Internet, United Nations Guidelines for Consumer Protection. ^[1]

At the regional level there are at least three main jurisdictions where data rights are seen differently: China/India, the United States and the European Union. In the latter personal data was given special protection under the 2018 General Data Protection Regulation (GDPR).

The GDPR thus became the fifth of the 24 types of legislation listed in Annex 1 Table of existing and proposed European Directives and Regulations in relation to data. ^[2]

Personal data are the basis for behavioral advertising, and early in the 21st century their value began to grow exponentially, at least as measured in the market capitalization of the major platforms holding personal data on their respective users. European Union regulators reacted to this perceived power imbalance between platforms and users, although much still hinges on the terms of consent given by users to the platforms. The concept of data portability comprises an attempt to correct the perceived power imbalance by introducing an element of competition allowing users to choose among platforms.

European Union

The right to data portability was laid down in the European Union's General Data Protection Regulation (GDPR) passed in April 2016. The regulation will apply to data processors, whether inside or outside the EU, if they process data on individuals who are physically located within an EU member state.

Earlier the European Data Protection Supervisor had stated that data portability could "let individuals benefit from the value created by the use of their personal data".^[5]

The European-level Article 29 Data Protection Working Party held a consultation on this in English lasting until the end of January 2017.

Their guidelines and FAQ on the right to data portability contain this call for action:

In April 2017, new guidelines were published on the Article 29 Working Party website.^[6]

The French national data supervisor CNIL hosted a discussion in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.^[7]

Although the United Kingdom voted to withdraw from the EU, it intends to incorporate much of the GDPR in its own legislation, which will include data portability, as "...the GDPR itself contains some noteworthy innovations – for instance… the introduction of a new right to data portability".^[8]

Switzerland

Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an EFTA member state, there has been a trend moving in the same direction. The Swiss view was officially published in March 2018 (as a document in PDF). ^[9]

A cooperative proposed to have a right to data portability anchored in the constitution of the Swiss Confederation. After being seriously considered in the parliament, however, the proposal was not included in the newest draft dated 21 December 2016.^[10] The cooperative is called MIDATA.coop; besides proposing legislation, it will offer users a place to store their data.^[11]

Over the longer term, the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair. The legal terms involved are adequacy and reciprocity ^[12]

Requirements for effective data interoperability

It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format".

This touches on at least two distinct technical requirements for effective interoperability:

Rights of data subjects under the European Union's new GDPR

Data portability in relation to the right of access

The data portability right is slightly different from the Right of access to personal data; see GDPR and the seventh item in the list cited immediately above. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with Recital_(law). Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought.

In addition, the GDPR limits the scope of data portability to cases where the processing is made on the basis of either consent of the data subject, or the performance of a contract.

Data portability in relation to the right of explanation

The data portability right is related to the "right to explanation", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a decision tree. This right, however, was found to be not very useful in an empirical study.^[14]

The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.^[15] This includes decisions based on profiling. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in Wired emphasised the poignancy of the discussion.^[16] The issue has been discussed by Bygrave,^[17] and by Hildebrandt,^[18] who claimed this to be one of the most important transparency rights in the era of machine learning and big data. Contrary to Hildebrandt's high expectations in 2012, four years later, after many revisions to the GDPR, when the text has been finalized, three other well-known authors contest whether a right to explanation still exists in the GDPR (see below).

In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale;^[19] the relevant passages were reviewed by the Electronic Privacy Information Center (EPIC).^[20] Even the U.S. Defense Advanced Research Projects Agency DARPA has an Explainable AI (XAI) program^[21]

Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation.^[23] Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the London School of Economics (LSE).^[24] In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and Mireille Hildebrandt.^[25]

Another 2016 paper, this one published by Katarinou et al., includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human."^[26]

A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13–14.^[27]

A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR, proposes a limited ‘right to be informed’ instead and calls for the creation of an agency to implement the transparency requirement.^[28] A further paper by Edwards and Veale claims such a right is unlikely to apply in the cases of the 'algorithmic harms' attracting recent media attention, and that insufficient attention has been paid to both the computer science literature on explanation and how other GDPR provisions, such as data protection impact assessments and data portability, might help.^[29] Almost two years later a paper appeared that challenges earlier papers, especially Wachter / Mittelstadt / Floridi.^[30]

On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and UK government officials met during a number of meetings,^[31] and developed a Data Science Ethical Framework.^[32] On November 7, 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd.^[33] Only eleven days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.^[34] By mid-December the IEEE came out with a document whose editing was backed up by public comments that were invited by March 2017 on "Ethically Aligned Design".^[35]

Later in 2017 data portability was analysed by professors of data protection as a central innovation of the new GDPR.^[36]

See also

References

1. ^ {{Cite web|url= https://www.intgovforum.org/multilingual/content/the-charter-of-human-rights-and-principles-for-the-internet-educational-resource-guide-v2 |title=The Charter of Human Rights and Principles for the Internet Educational Resource Guide (v2) (Internet Rights and Principles Coalition) |access-date=2018-10-07|date=2017-10-20 }}
2. ^{{Cite journal|url=https://publications.europa.eu/en/publication-detail/-/publication/d0bec895-b603-11e6-9e3c-01aa75ed71a1/language-en|title=Legal study on ownership and access to data: final report. Publications Office of the European Union|date=2016-11-28|language=en|doi=10.2759/299944|access-date=2018-10-07}}
3. ^The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL |date=May 4, 2016 | publisher=European Commission}}
4. ^{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 |url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 |publisher=Bloomberg BNA}}
5. ^{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}
6. ^{{cite web |url=http://ec.europa.eu/newsroom/article29/news.cfm?item_type=1358 |title=EU Article 29 Working Party |accessdate=30 May 2018 |publisher=European Union}} Official website.
7. ^{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}
8. ^{{cite web | first1= Orla | last1= Lynskey | title=The Great Data Protection Rebranding Exercise, blog post |url=http://blogs.lse.ac.uk/mediapolicyproject/2017/08/08/the-great-data-protection-rebranding-exercise/ | date=August 8, 2017 | publisher=London School of Economics}}
9. ^{{cite web | title= The GDPR and its consequences for Switzerland |url=https://www.edoeb.admin.ch/dam/edoeb/en/dokumente/2018/EU%20DSGVO.pdf.download.pdf | date= March 2018 | accessdate=October 7, 2018 }}
10. ^{{cite web | title=Revision of the Data Protection Law / Revision des DSG: Vorentwurf und begleitende Unterlagen veröffentlicht, 21. Dezember 2016 |url=http://datenrecht.ch/revision-des-dsg-vorentwurf-und-begleitende-unterlagen-veroeffentlicht/ | accessdate=December 25, 2016}}
11. ^{{cite web |title=Das Recht auf Kopie – a Swiss-national and international movement towards digital self determination where citizens control any secondary use of their personal data|url=http://www.midata.coop | accessdate=April 15, 2016}}
12. ^{{cite web |title=Transborder data flows|url=https://www.edoeb.admin.ch/edoeb/en/home/data-protection/arbeitsbereich/transborder-data-flows.html | accessdate=October 7, 2018}}
13. ^{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}
14. ^ {{cite journal |accessdate=6 February 2019 |volume=16 |issue=1 |doi=10.2139/ssrn.2972855|url= https://papers.ssrn.com/sol3/Delivery.cfm/SSRN_ID3083277_code2070340.pdf?abstractid=2972855&mirid=1 | first1= Lilian| last1 = Edwards | first2=Michael | last2=Veale | title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably not the Remedy you are Looking for | year=2017 }}
15. ^{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation|date= July 22, 2016 |publisher=White & Case}}
16. ^{{cite journal | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | journal=Wired | url=https://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 | publisher=Wired}}
17. ^Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf
18. ^Mireille Hildebrandt (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at https://works.bepress.com/mireille_hildebrandt/40/
19. ^{{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}
20. ^{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24 |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}
21. ^{{Cite web | url=http://www.darpa.mil/program/explainable-artificial-intelligence | title=Explainable Artificial Intelligence}}
22. ^{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}
23. ^{{Cite journal| first1=Bryce |last1=Goodman | first2= Seth | last2=Flaxman |title=European Union regulations on algorithmic decision-making and a "right to explanation" |journal=AI Magazine |volume=38 |issue=3 |pages=50 |arxiv=1606.08813| date=August 31, 2016 |doi=10.1609/aimag.v38i3.2741 |bibcode=2016arXiv160608813G }}
24. ^{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) |url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ |date= February 5, 2016}}
25. ^{{cite web |title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ |date=February 5, 2016}}
26. ^{{cite document |first1= Dimitra |last1=Kamarinou |first2= Christopher |last2= Millard |first3= Jatinder |last3= Singh |title=Machine Learning with Personal Data. Queen Mary School of Law Legal Studies Research Paper No. 247/2016 |ssrn= 2865811 |date=November 7, 2016}}
27. ^{{Cite journal| first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2 | journal=Big Data & Society | volume=3 | issue=2 | pages=205395171667967 |date= November 1, 2016 | doi=10.1177/2053951716679679 }}
28. ^{{cite document|first1=Sandra |last1= Wachter |first2=Brent |last2=Mittelstadt |first3=Luciano| last3=Floridi |title=Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation |ssrn=2903469 |date=December 28, 2016}}
29. ^{{Cite document|last=Edwards|first=Lilian|last2=Veale|first2=Michael|date=2017-05-23|title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably Not the Remedy You are Looking For|ssrn=2972855}}
30. ^{{Cite journal|last=Selbst|first=Andrew D |last2=Powles|first2=Julia |date=2017-01-11|title=Meaningful information and the right to explanation|journal=International Data Privacy Law|location=|volume=7|issue=4 |pages=233–242|doi=10.1093/idpl/ipx022 }}
31. ^{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making |url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}
32. ^{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}
33. ^{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}
34. ^{{cite web |title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms |url=http://www.fatml.org/resources/principles-for-accountable-algorithms |date=November 18, 2016 | publisher=NYU}}
35. ^{{cite web |title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems |url=http://standards.ieee.org/news/2016/ethically_aligned_design.html |date=December 13, 2016 |publisher=IEEE}}
36. ^{{Cite journal| first1=Paul | last1= De Hert | first2=Vagelis | last2 =Papakonstantinou| first3= Gianclaudio| last3= Malgieri| first4=Laurent | last4 =Beslay| first5= Ignacio| last5= Sanchez | title=The right to data portability in the GDPR: Towards user-centric interoperability of digital services. Open Access funded by Joint Research Centre | journal=Computer Law & Security Review | volume= 34 | issue= 2 | pages= 193 | date= 20 November 2017 | doi= 10.1016/j.clsr.2017.10.003 }}