Mike Hintze

Bio: Mike Hintze is an academic researcher from University of Washington. The author has contributed to research in topics: Data Protection Act 1998 & General Data Protection Regulation. The author has an hindex of 4, co-authored 8 publications receiving 34 citations. Previous affiliations of Mike Hintze include Future of Privacy Forum.

Viewing the GDPR through a De-Identification Lens: A Tool for Compliance, Clarification, and Consistency

Abstract: In May 2018, the General Data Protection Regulation (GDPR) will become enforceable as the basis for data protection law in the European Economic Area (EEA). Compared to the 1995 Data Protection Directive that it will replace, the GDPR reflects a more developed understanding of de-identification as encompassing a spectrum of different techniques and strengths. And under the GDPR, different levels of de-identification have concrete implications for organizations’ compliance obligations – including, in some cases, relief from certain obligations. Thus, organizations subject to the GDPR can and should consider de-identification as a key tool for GDPR compliance. Nevertheless, there are many respects in which GDPR obligations remains unclear. Regulators and policymakers can help advance the rights of data subjects and further the objectives of the GDPR, while providing additional clarity, by interpreting, applying, and enforcing these GDPR provisions in a way that encourages and rewards the appropriate use of de-identification. This article examines how the GDPR addresses de-identification. It reviews several substantive obligations under the GDPR, including notice, consent, data subject rights to access or delete personal data, data retention limitations, data security, breach notification, privacy by design and by default, and others. In each case, it describes how the use of different levels of de-identification can play a role in complying with the relevant obligations. It proposes that the incentives to apply de-identification found in these provisions should be reinforced by guidance and enforcement decisions that will reward the use of de-identification and encourage the highest practical level of de-identification. Such an approach will bring clarity to the rules, enable practical tools for compliance, help foster greater consistency with data protection regimes in other jurisdictions, and advance the purposes of the regulation.

Viewing the GDPR through a de-identification lens: a tool for compliance, clarification, and consistency

Abstract: In May 2018, the General Data Protection Regulation (GDPR) will become enforceable as the basis for data protection law in the European Economic Area (EEA). Compared to the 1995 Data Protection Directive that it will replace, the GDPR reflects a more developed understanding of de-identification as encompassing a spectrum of different techniques and strengths. And under the GDPR, different levels of de-identification have concrete implications for organizations’ compliance obligations – including, in some cases, relief from certain obligations. Thus, organizations subject to the GDPR can and should consider de-identification as a key tool for GDPR compliance. Nevertheless, there are many respects in which GDPR obligations remains unclear. Regulators and policymakers can help advance the rights of data subjects and further the objectives of the GDPR, while providing additional clarity, by interpreting, applying, and enforcing these GDPR provisions in a way that encourages and rewards the appropriate use of de-identification. This article examines how the GDPR addresses de-identification. It reviews several substantive obligations under the GDPR, including notice, consent, data subject rights to access or delete personal data, data retention limitations, data security, breach notification, privacy by design and by default, and others. In each case, it describes how the use of different levels of de-identification can play a role in complying with the relevant obligations. It proposes that the incentives to apply de-identification found in these provisions should be reinforced by guidance and enforcement decisions that will reward the use of de-identification and encourage the highest practical level of de-identification. Such an approach will bring clarity to the rules, enable practical tools for compliance, help foster greater consistency with data protection regimes in other jurisdictions, and advance the purposes of the regulation.

Meeting Upcoming GDPR Requirements While Maximizing the Full Value of Data Analytics

Abstract: The new obligations imposed by the General Data Protection Regulation (GDPR) do not prohibit the use of personal data for analytics or other beneficial secondary uses. But they do require the adoption of new technical and organizational measures to protect that data. The GDPR explicitly points to pseudonymizing as one such measure that can help meet the requirements of several of its provisions. The GDPR further recognizes differing levels of de-identi cation in a way that provides incentives for organizations to adopt the optimal type and level of de-identification that can help them use personal data for bene cial purposes while meeting their compliance obligations and protecting the privacy of individuals. By enabling the use of “Controlled Linkable Data” (as described in this White Paper) that retains the utility of personal data while helping to meet organizations’ compliance obligations and to significantly reduce their risk of liability, Anonos® BigPrivacy® technology can help organizations navigate and meet these new GDPR requirements. Thus, Anonos BigPrivacy technology can ease regulatory burdens and be a key component of an overall GDPR compliance program. The body of this paper describes in detail the regulatory background, technological innovations, and practical applications of Controlled Linkable Data, leading to the maximization of data value and individual privacy in a GDPR-compliant manner. First, in Section III, we introduce the concept of Controlled Linkable Data in the context of the GDPR. Next, in Section IV, we describe the GDPR’s new requirements, focusing on the distinction between privacy by design and data protection by default, and noting that the former is merely a subset of the latter, making it insuf cient to satisfy the GDPR’s stringency. We also introduce the essential concept of Controlled Linkable Data. In Section V, we explain how Controlled Linkable Data enables a more powerful form of de-identification, one encouraged by the GDPR, but which has previously not been achievable by technical methods. This leads to the conclusion that “data protection over the full lifecycle of data by leveraging technical and organizational measures, including pseudonymisation, [ensures] that, by default, personal data are not made accessible without the individual’s intervention to an inde nite number of natural persons.” Next, Section VI analyzes numerous relevant sections of the GDPR (speci cally, Articles 5, 6, 11(2), 12(2), 15-22, 32-36, 40, 42, 82 and 88), showing how Controlled Linkable Data helps satisfy the specific GDPR requirements. Last, in light of this understanding of the requirements, limitations, exclusions and overall principles of the GDPR, Section VII explains the technical basis of Anonos BigPrivacy technology, how it implements Controlled Linkable Data, and how this solution addresses GDPR compliance concerns for all parties: data controllers, regulators and data subjects. Global firms that gather, use or store GDPR personal data should consider the possibility that Controlled Linkable Data as described in this White Paper enables secondary uses of data while ensuring compliance with GDPR requirements.

Data Controllers, Data Processors, and the Growing Use of Connected Products in the Enterprise: Managing Risks, Understanding Benefits, and Complying with the GDPR

Abstract: Modern enterprises increasingly purchase and deploy products and services from third parties that collect data as part of providing the services. In this context, there is a common belief that the enterprise must be the “data controller” (in the terminology used in European data protection law), and the third-party provider must be a “data processor” acting on behalf of the enterprise. However, such a blanket rule is neither required by the law nor reflective of reality. There are many instances in which a third-party provider acts in whole, or in part, as a data controller. While the characterization of the third-party provider as a controller or a processor has certain legal ramifications, the difference may be less significant under the General Data Protection Regulation (GDPR) than under prior European data protection law. Legal compliance, risk mitigation, and appropriate protection of personal data can be achieved whether using products and services provided by data controllers or data processors; and there are pros and cons to each approach. This paper describes the data protection obligations on organizations that purchase and deploy products and services that collect and transmit data to a third-party provider. For each obligation, it will discuss the similarities and differences (if any) in those obligations between those cases where the data is collected by a data processor and those where the data is collected by a data controller. This paper focuses on those obligations imposed by the European GDPR; but because many of the principles and obligations occur in other privacy laws around the world, many of the conclusions can be generalized for global approaches to compliance.

In Defense of the Long Privacy Statement

Abstract: Size matters. In fact, when it comes to privacy statements, there is an obsession with size. Much scholarship and commentary on privacy statements bemoans the fact that consumers rarely read them and places the blame on the length of those statements. The solution? Shorten and simplify! Proposals for standardized short-form notices, “nutrition label” notices, icons, and other attempts to replace long privacy statements abound. But none have proven to be a satisfactory substitute for a full, detailed description of what data an organization collects and how it is used, shared, retained, and protected. These short-form approaches inevitably leave out important details, gloss over critical nuances, and simplify technical information in a way that dramatically reduces transparency and accountability. This article discusses the multiple purposes of privacy statements, including the legal obligations they are designed to fulfil. It recognizes that there are many audiences for privacy statements, including consumers, regulators, policy makers, academics, researchers, investors, advocates, and journalists. And it argues that efforts to make privacy statements significantly shorter and simpler are optimizing for the one audience least likely to read them – consumers – rather than the audiences in the best position to police privacy statements and the practices they describe. Whatever the audience, having a detailed (long) privacy statement provides a single place where an interested reader can find the “full story” of the organization’s privacy practices. Unlike many alternate methods of providing notice, the detailed privacy statement makes the full range of privacy information available at any time, and to any person before, during or after the time an individual may be using the organization’s products or services. Long privacy statements also create organizational accountability. The exercise of drafting them requires organizations to do the detailed investigation to understand and document what data is being collected and how it is processed. And although few consumers other than a small number of highly-motivated individuals will read the statements, those who act on behalf of consumers do – including advocates, regulators, and journalists. It is mainly those individuals who ask the hard questions and are in a position to raise public awareness and create consequences for inadequate or problematic practices. And it is that kind of accountability that leads to positive change. To be clear, this article is not defending poorly-drafted privacy statements. Writing that is unclear, poorly organized, or needlessly complex or legalistic has no place in a privacy statement. Nor is this article suggesting that a privacy statement should be long simply for the sake of being long. A statement for a simple app that collects one type of information and uses it for one purpose can be quite short. But a privacy statement for an organization that offers a range of more complex, interrelated, and data-intensive services often must be quite long in order to provide all the relevant details. How long should a privacy statement be? A privacy statement should be as long as it needs to be in order to meet legal requirements and provide full descriptions of the pertinent data practices. Long privacy statements are often essential to achieving true transparency. But given that most consumers will not read them (regardless of the length), if we want to achieve transparency for all audiences, long privacy statements alone are not sufficient. This article should not be taken to suggest detailed privacy statements are the only way of creating transparency. And we should not write off consumers because they rarely read these privacy statements. Efforts should still be made to help consumers understand what is being done with their data and to give them meaningful control. Doing that well often involves measures in addition to a privacy statement, such as contextual privacy disclosures. But those measures almost always will be inadequate and incomplete unless provided in conjunction with a full, detailed privacy statement.

It s Time to Do Something: Mitigating the Negative Impacts of Computing Through a Change to the Peer Review Process

Abstract: The computing research community needs to work much harder to address the downsides of our innovations. Between the erosion of privacy, threats to democracy, and automation's effect on employment (among many other issues), we can no longer simply assume that our research will have a net positive impact on the world. While bending the arc of computing innovation towards societal benefit may at first seem intractable, we believe we can achieve substantial progress with a straightforward step: making a small change to the peer review process. As we explain below, we hypothesize that our recommended change will force computing researchers to more deeply consider the negative impacts of their work. We also expect that this change will incentivize research and policy that alleviates computing's negative impacts.

PRIPEL: Privacy-Preserving Event Log Publishing Including Contextual Information

Abstract: Event logs capture the execution of business processes in terms of executed activities and their execution context. Since logs contain potentially sensitive information about the individuals involved in the process, they should be pre-processed before being published to preserve the individuals’ privacy. However, existing techniques for such pre-processing are limited to a process’ control-flow and neglect contextual information, such as attribute values and durations. This thus precludes any form of process analysis that involves contextual factors. To bridge this gap, we introduce PRIPEL, a framework for privacy-aware event log publishing. Compared to existing work, PRIPEL takes a fundamentally different angle and ensures privacy on the level of individual cases instead of the complete log. This way, contextual information as well as the long tail process behaviour are preserved, which enables the application of a rich set of process analysis techniques. We demonstrate the feasibility of our framework in a case study with a real-world event log.

Data-enabled design : a situated design approach that uses data as creative material when designing for intelligent ecosystems

Abstract: • A submitted manuscript is the version of the article upon submission and before peer-review. There can be important differences between the submitted version and the official published version of record. People interested in the research are advised to contact the author for the final version of the publication, or visit the DOI to the publisher's website. • The final author version and the galley proof are versions of the publication after peer review. • The final published version features the final layout of the paper including the volume, issue and page numbers.

Requirements for Trustworthy Artificial Intelligence – A Review

Abstract: The field of algorithmic decision-making, particularly Artificial Intelligence (AI), has been drastically changing. With the availability of a massive amount of data and an increase in the processing power, AI systems have been used in a vast number of high-stake applications. So, it becomes vital to make these systems reliable and trustworthy. Different approaches have been proposed to make theses systems trustworthy. In this paper, we have reviewed these approaches and summarized them based on the principles proposed by the European Union for trustworthy AI. This review provides an overview of different principles that are important to make AI trustworthy.

The Text Anonymization Benchmark (TAB): A Dedicated Corpus and Evaluation Framework for Text Anonymization

Abstract: Abstract We present a novel benchmark and associated evaluation metrics for assessing the performance of text anonymization methods. Text anonymization, defined as the task of editing a text document to prevent the disclosure of personal information, currently suffers from a shortage of privacy-oriented annotated text resources, making it difficult to properly evaluate the level of privacy protection offered by various anonymization methods. This paper presents TAB (Text Anonymization Benchmark), a new, open-source annotated corpus developed to address this shortage. The corpus comprises 1,268 English-language court cases from the European Court of Human Rights (ECHR) enriched with comprehensive annotations about the personal information appearing in each document, including their semantic category, identifier type, confidential attributes, and co-reference relations. Compared with previous work, the TAB corpus is designed to go beyond traditional de-identification (which is limited to the detection of predefined semantic categories), and explicitly marks which text spans ought to be masked in order to conceal the identity of the person to be protected. Along with presenting the corpus and its annotation layers, we also propose a set of evaluation metrics that are specifically tailored toward measuring the performance of text anonymization, both in terms of privacy protection and utility preservation. We illustrate the use of the benchmark and the proposed metrics by assessing the empirical performance of several baseline text anonymization models. The full corpus along with its privacy-oriented annotation guidelines, evaluation scripts, and baseline models are available on: https://github.com/NorskRegnesentral/text-anonymization-benchmark.