A trust-based framework for the data-driven economy Nicolo Zingales, Tilburg Institute for Law , Technology and Society (TILT) MyData 2016, Helsinki, 1 September 2016

Data is…?

Rather, data is….

The truth about data as oil leakage

The main cause of this pollution?

Legitimate interest to pollute? (…) necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where (…) overridden by the interests or fundamental rights and freedoms of the data subject requiring protection of personal data any interest that is real (non speculative), sufficiently specific and “accepted by law” Balancing factors: Nature of data Reasonable expectations Way of processing data Balance of power, including whether data subject is a child Status of the data controller and data subject Impact on data subject including less specific, broader emotional impacts

GDPR (and not only): moving away from consent Freely given- utmost account shall be taken of whether performance […] is conditional on consent […] that is not necessary for the performance of that contract (art. 7.4) Burden of proof on controller (art. 7.1) Legitimate interest Duty of controllers to explicitly inform data subjects of their asserted legitimate interests (art. 13-14) Typified cases: (1) network and information security; (2) fraud prevention; (3) direct marketing; (4) internal transfer for administrative purposes Compatibility of further processing (re-purposing) If not based on consent or statute, depends on link with original purpose, nature of data, context, possible consequences for data subject, and existence of safeguards Typified cases: (1) archiving purposes in the public interest; (2) scientific or historical research purposes; (3) statistical purposes Conflict of interest and lack of expertise

Towards a model framework

Coming to terms with “platform responsibility” Codes of conduct

Trust , but verify : a first attempt to certify HR compliance Tos and HR Project, coordinated by the Center for Technology and Society of the Fundação Getulio Vargas in partnership with the Council of Europe (i) development of benchmarks based on international human rights standards (ii) analysis of ToS of 50 platforms by three independent analysts (iii) crossing of assessments of the three analyses and computation of statistical results; Privacy, FoE & due process

Scope of the study Platform: “any web application allowing users to find, disseminate and receive information or ideas according to the terms established in the contractual agreement” Focused on the following types of services: mail, instant communication, social network, cloud storage,music/video streaming, community fora, crowdfunding

FoE issues 70% provides mechanisms to report abusive content and solicit removal 52% affirms that content removal need not be notified 88% can delete accounts without notification

Privacy & DP issues 32% platforms do not permit anonymity or pseudonymity 66% track users on other websites and 80% permit that third parties track on their sites 62% shares data with third parties for commercial purposes by default

Only 52% affirms that it aggregates across services, usually by default Only 38% affirms that it aggregates information across devices, 2% that it does not.

Due process issues 30% of platforms explicitly commits to notify users on possible alterations of terms of service 12% affirms that there will be no notification 26% require class action waiver 86% impose mandatory jurisdiction

Privacy score

FoE score

Due Process score

Not only “trust”, but “entrust” Voluntary certification schemes (e.g. trust marks or seals of approval). Scope can be extended throughout the EU by the EU DP Board (art. 42) Incorporate the crowd’s wisdom as to the clarity of terms of service