The Million-Dollar GDPR Question: What Is Significant?

Posted Date 06/07/18

The General Data Protection Regulation of the European Union came into effect last week, which by now everyone using the internet must have noticed: there is no website that does not show you a polite notice asking for your consent to their cookie policy. You can now change your preferences and refuse to let the website collect any data about you to use in ad targeting.


This is great as far as it goes and it gets even better: GDPR allows people to question decisions made by algorithms, which are growing in number and frequency and also in reach. More and more decisions are being made by algos, including important ones regarding ban loans and jobs. Before, we couldn’t question these decisions. Now we can—or at least we can request the decision to be explained by a human— as long as they affect us in a “significant” way. And here lies the problem: GDPR contains no definition of what is significant in this context.


A Vice report on the issue quotes a civil rights attorney as saying that it’s all about accountability. Before GDPR, the companies that used algos to make a variety of decisions concerning the users of their services, were virtually unaccountable because it was the algorithms that made the decisions. There was no explanation of why a certain decision was made and, says Andrew Selbst, “In general, in law, what is unexplainable is therefore unaccountable.”


So, now the decisions will be explainable but making the decision-makers accountable could be tougher. The crux of the matter is that while inappropriate job postings or a denial of credit card are clearly instances when algorithm decisions affect a person’s life in a significant way, this is not the case with most of the algo decisions we encounter every day in the form of which ads you see on your Facebook feed, for example. It would be difficult to argue that seeing a particular ad has affected you significantly, should you feel it has.


And then there’s more. Let’s say you manage to convince the relevant parties that a certain ad has affected your life in a significant way. The company responsible for the algo decision that led to you seeing this ad now must release information to you; what kind of information, however, remains unclear. What is clear is that people could force companies to resort to human intervention—for instance in credit card applications—to ensure a more favorable result.


The best thing about GDPR, however, has to do with the information that companies will now be required to provide to their users, at least until they find a way around that. It is user data that allows algorithms to come up with targeted ads and many people do not want their data used in this way. Before, nobody could force a company to show them exactly what info it has on them. Now, this is possible. At least for a while.


As for the issue of what constitutes significant, this will be up to the courts and up to individual interpretations. It sounds like a lot of confusion is on the way.





Posted in Security | Tagged

Copyright © 2012 Recharge Asia Corp. All Rights Reserved. Terms under which this service is provided to you.
京公网安备: 11010802008822 号    京ICP 证 09052955