Data, Law and Ethics

Link to course: https://www.linkedin.com/learning/ethics-and-law-in-data-analytics/data-ethics-and-law

Yesterday, I completed a course named ‘Data, Ethics and Law’ on LinkedIn Learning - something I didn’t know existed until a few days ago.

I was rather intrigued when I first saw this course, especially due to the nature of my degree in university and given how little information there is online regarding how Technology and Law intersect. Additionally, as I am currently self-learning some data analysis and data science concepts, I thought it wouldn’t hurt to find out more about how laws and ethics come into play with data.

The course spans over 4 modules for around 4 hours and covers mainly: 1. Data ethics — why we need it and what it means to be ethical 2. An introduction to the laws in place to counter today’s data problems 3. Practices we should adopt for data privacy (which I believe is really the main takeaway of the course)

Data Ethics

For as long as we can remember, humanity has been keeping track of all our records - spanning from ancient Egyptian hieroglyphics to social media applications we use daily. Because of the increasing pace of technology, we are coming to a spectacle known as the Big Data Revolution. An instance, of what is becoming more common in this revolution, is seeing an advertisement which is highly similar to what you and your best friend were talking about just 10 minutes ago. Let’s evaluate the good and bad about this example.

Yes, it may be more convenient to get personalised advertisements so you don’t have to scour high and low to find a particular service or item. But, isn’t this also extremely… creepy, akin to an intrusion of our privacy?

In view of all this, the course suggests that rather than weighing the pros and cons of using Big Data, the main question should be “How can we better prepare and manage the Big Data Revolution?“

One big problem in Data Ethics is ‘biases’. While machine learning is able to eradicate human biases in decision making, algorithms fed into machine learning models still contain biased data - ‘garbage in, garbage out’ systems which would end up making biased predictions still. Additionally, those who engage in data analysis will know that feature selection in training models still highly depend on humans. This also introduces a further element of human bias, even if an individual himself is unaware of it.

I think something the course had failed to mention was introducing the elements that made data biased. Personally, I believe that it’s something like this:

(In the context of predicting who is more likely to commit a crime.) In the past, more people of X race are prosecuted due to perhaps racism and discrimination. On the other hand, people of Y race are let off even though they have committed the same crimes. This means that the data is inherently biased against the X race already.

On top of the inaccuracy and inherent biases of the data, other factors could be the inaccessibility of certain features to different groups of people. For example, if we conduct an analysis on how social media has impacted our lives, this would exclude groups of people who do not even have access to the internet. Perhaps, they may feel even more out of touch with the society where everyone else has become more interconnected. But what data we collect, would only be limited to those who use social media. Granted, this is not the best example, but it is the only one I could think of right off the top of my head.

Apart from biases, another issue we have to tackle in data ethics is the values surrounding the creation of more complex technologies. This is because we need people to be held accountable for the faults in data prediction. We also want our machine learning models and AI to be imparted with good values.

Legal approaches in tackling data problems

A quick note: Most of the laws introduced are centred around the US laws, hence if you are not in the USA, I believe parts of the course would not exactly be very helpful. However, it does introduce the IRAC model of legal analysis (Issue, Rule, Application, Conclusion) in identifying legal problems related to data.

Meanwhile, under this topic, the course heavily emphasises that there are currently insufficient laws in place to tackle data problems. Hence, while some actions may be unethical, they are not unlawful — and this is taken advantage of a lot of times by big companies whose actions are unhindered. Some cases that the course introduce are 1. the lawsuit against Facebook in view of their photo-tagging of users who did not consent and 2. how Target knew a girl was pregnant before her parents due using her shopping activity.

It also introduces the caveats in current statutes/policies, which I will not be discussing as they are specific to USA.

In this aspect, I believe there is a lot that can be done to ensure companies do not engage in such activities and one framework we can look to for guidance is the GDPR used in the European Union. The main concepts and problems that the GDPR covers are

1. Fairness

2. Permission to process data must be based on UNAMBIGUOUS consent by users - ensure transparency between users and organisations and inform users about what data is collected, what they are used for and how they are used

3. Data collected must be used only for the purposes the organisation had collected the data for

4. How long can an organisation hold on the data collected

5. Accuracy of data collected and allowing individuals to access personal data and correct them if it is inaccurate

6. Security of personal data

7. Accountability

Practices to adopt

Practices in eliminating bias

1. Supporting research to build systems that support fairness and accountability

2. Encourage market participants to design the best algorithmic systems including transparency and accountability mechanisms

3. Promote academic research and industry development of algorithmic auditing

4. Improve awareness of big data revolution so users can better protect themselves - as we see more people nowadays willingly share their personal information on applications such as social media apps

Data Privacy Practices (adapted from GDPR)

1. Know your data

2. Don’t avoid a ‘privacy by design’ approach

3. Whether and how users should be provided notice and choice

4. Inform users about how their privacy is being used

Conclusion and personal thoughts

I honestly thought that there was a lack of proper flow in the way that the content was being delivered. I also sometimes failed to see the link between concepts under the same module. So I hope that my summary made the link more clear. I definitely thought that the course could have been more concise, and should have had a more practical learning outcome (especially since it is 4 hours long). However, I did get to have a quick glimpse of the issues surrounding data privacy.

In Singapore, we have a Personal Data Protection Act (PDPA), however, it protects personal and private data, rather than protect and limit what users’ data can be used for. Additionally, it does not apply to:

Referenced from: https://www.pdpc.gov.sg/overview-of-pdpa/the-legislation/personal-data-protection-act

Hence, I believe this limits the scope of the act quite largely — I had an in-class exercise and learnt this the hard way.

To counter this limitation, the Model AI Governance Framework was introduced in 2019 regarding decisions made by AI. The framework can be accessed via this link: https://www.pdpc.gov.sg/Help-and-Resources/2020/01/Model-AI-Governance-Framework which also applies similar concepts to the GDPR.