Periodic Reporting for period 2 - PROTECT (Protecting Personal Data Amidst Big Data Innovation)
Reporting period: 2021-08-01 to 2024-01-31
The rate of technological innovation, now accelerated by big data and machine learning, increasingly outpaces public policy debate and the development of new regulation for the protection of personal data. This comes as the scale and social impact of data analysis is rapidly increasing. Tech companies, especially SMEs, face complex legal and ethical implications resulting from the collection of personal data from users. The pace of change and its complex technical nature serves to overload individuals and enterprises in considering the impact of use of their personal information, especially when this use also delivers attractive personalisation of services. PROTECT ESRs will develop new ways of empowering users of digital services, individually and collectively, to understand the risks they take with their rights and interests when they go online.
PROTECT has successfully started its ESRs on career paths where they are able to navigate the complex legal and ethical challenges of fast moving data-driven AI technologies in the new era of digital regulation that the EU has entered over the duration of the project. This is evidenced via the collaborative and individual peer review publications generated and by the collaborative development of open semantic models for capturing and comparing issues around group data protection in data spaces, ethical assessment of AI and data processing technologies and AI and data processing risk assessments. It is also evidenced through the impact already achieved through dissemination targeting standardisation and policy development activities, including: mapping of the AI Act to international standards, open semantic models to GDPR compliance and management of data sharing; data protection policy and AI ethics policy.
The technical research work of the PROTECT network was conducted through three multidisciplinary work packages. These work packages combine ESR researching privacy law, the philosophy sub discipline of technology ethics and the computer science sub discipline of knowledge engineering. Each of these disciplinary specialisms plays a key role in advancing the rights and protections of citizens in today’s accelerating digital ecosystem. Law research follows a doctrinal approach to studying EU/international law and judgements, addressing structure and seeking inconsistencies and looking to add, adjust or improve legislation. Technology Ethics research seeks to disclose societal impacts from case studies around specific technologies and then theorise and apply an approach to resolving by formulating theoretical frameworks that can be applied via policy and improved decision-making methodologies. Knowledge engineering research seeks to formulate semantics models or ontologies from assembled domain knowledge and salient competence questions and encode this in knowledge structured that can provide open data sharing vocabularies and automation in knowledge-based decision support systems.
Integrating these disciplinary perspectives across three technical workpackages resulted in the following: i) the privacy paradigm semantic model as an open knowledge vocabulary that extends information exchange between data subjects and controllers enable collective management of privacy terms in individual and shared data spaces; ii) the ethical assessment of a core set of use cases using different existing methodologies and based on this experience resulted an ontology that could accommodate such a plurality of methodology in documenting and comparing ethical impacts as well as ethical framings to address those sectorial issues; iii) an assessment of risks of AI in the health sector that resulted in a risk assessment vocabulary designed to deal with uncertainties and the needs of regulatory learning for AI system and extension to accommodate emerging risks.
An open access approach to exploitation and dissemination was taken to maximise the uptake of result by the public sector and SME deployers of AI/data processing and by policy makers. This resulted in 10 open access datasets and 49 peer review publication from ESR which have already attracted over 129 citations. Open access results are available at the projects Zenodo repository: https://zenodo.org/communities/protect-network. A central communication and dissemination action was the organisation of the PROTECT symposium as an international event co-located with the multistakeholder digital law and policy conference, CPDP’23 in Brussel.
PROTECT has generated output from its research with the strong potential to impact policy related to data protection and the protection of fundamental rights in the deployment and use of AI systems. In many cases, impact has been delivered and realised though engagement with policy makers such as the Irish Parliament and National Standards Authority of Ireland, the European Data Protection Supervisor, European and International standards bodies such as W3C, ISO/IEC and CEN/CENELEC and the policy research bodies such as the EC Joint Research Centre. Policy and legislation analysis papers, blog posts and presentation/panels at policy focussed events such as CPDP also contribute to influencing the targeted policy and regulatory audiences. Finally, the publication of open semantic models provides the basis for concrete tools that can be used especially by European SMEs and public sector organisations less well-resourced to easily satisfy the rapidly growing body of digital legislation. These also offer access to NGOs interested in holding other actors to account for their implementation of new digital regulation as well as contributing concretely to the tool base through well-defined sectorial extension mechanisms.