Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
© Cloudera, Inc. All rights reserved.
MACHINE LEARNING IN AN AGE OF DATA REGULATIONJEFF [email protected]
© Cloudera, Inc. All rights reserved. 2
AI AND MACHINE LEARNING GROWTH
3 © Cloudera, Inc. All rights reserved.
4 © Cloudera, Inc. All rights reserved.
© Cloudera, Inc. All rights reserved.
GDPR AND POPIA
© Cloudera, Inc. All rights reserved. 6
GDPR
• Obligations of the organization○ Across people, process and
technology○ Impacts how personal data is
collected and used
• Substantial penalties○ Heavy fines for violations○ Up to 20M Euros or 4% of the annual global
turnover for the preceding financial year
• Applicable worldwide○ Any organization with any users in the EU
needs to be compliant. ○ Includes companies based outside the EU,
processing personal data from EU residents in connection with the offering any goods or services or monitoring user behavior.
○ Includes data processor and data controller
• Rights of the consumer○ Right to be forgotten/erasure○ Right to access information○ Right to data portability○ Right for processing to be restricted
© Cloudera, Inc. All rights reserved. 7
GDPR
• 88 pages
• 99 Articles
• 173 Recitals.
© Cloudera, Inc. All rights reserved. 8
POPI
“To promote the protection of personal information processed by public and private bodies;
to introduce certain conditions so as to establish minimum requirements for the processing of personal information;
to provide for the rights of persons regarding unsolicited electronic communications and automated decision making;
to regulate the flow of personal information across the borders of the Republic; and to provide for matters connected therewith.”
© Cloudera, Inc. All rights reserved. 9
POPI
• 76 Pages
• 12 Chapters
• 115 Sections
© Cloudera, Inc. All rights reserved. 10
GDPR VS POPI
VS
© Cloudera, Inc. All rights reserved.
DATA PRIVACY REGULATIONS AND MACHINE LEARNING
© Cloudera, Inc. All rights reserved. 12
IMPORTANT DEFINITIONS
• Automated Decision Making
• Profiling
• Legal Effects or Substantially Affects
© Cloudera, Inc. All rights reserved. 13
AUTOMATED DECISION MAKING - GDPR
Article 22Automated individual decision-making, including profiling
The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
© Cloudera, Inc. All rights reserved. 14
AUTOMATED DECISION MAKING - POPI
Section 71Automated decision making
a data subject may not be subject to a decision which results in legal consequences for him, her or it, or which affects him, her or it to a substantial degree, which is based solely on the basis of the automated processing of personal information intended to provide a profile of such person including his or her performance at work, or his, her or its credit worthiness, reliability, location, health, personal preferences or conduct.
© Cloudera, Inc. All rights reserved. 15
AUTOMATED DECISION MAKING - EXAMPLE
“Imposing speeding fines purely on the basis of evidence from speed cameras is an automated decision making process that does not necessarily involve profiling.It would, however, become a decision based on profiling if the driving habits of the individual were monitored over time, and, for example, the amount of fine imposed is the outcome of an assessment involving other factors, such as whether the speeding is a repeat offence or whether the driver has had other recent traffic violations.”
© Cloudera, Inc. All rights reserved. 16
PROFILING - GDPR
Article 4Definitions
‘profiling’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;
© Cloudera, Inc. All rights reserved. 17
PROFILING - POPI
Section 5A data subject has the right...
(g) not to be subject, under certain circumstances, to a decision which is based solely on the basis of the automated processing of his, her or its personal information intended to provide a profile of such person as provided for in terms of section 71;
© Cloudera, Inc. All rights reserved. 18
PROFILING - EXAMPLE
“A data broker collects data from different public and private sources, either on behalf of its clients or for its own purposes. The data broker compiles the data to develop profiles on the individuals and places them into segments. It sells this information to companies who wish to improve the targeting of their goods and services. The data broker carries out profiling by placing a person into a certain category according to their interests.”
© Cloudera, Inc. All rights reserved. 19
LEGAL EFFECTS OR SIGNIFICANTLY AFFECTS
“Hypothetically, a credit card company might reduce a customer’s card limit, based not on that customer’s own repayment history, but on non-traditional credit criteria, such as an analysis of other customers living in the same area who shop at the same stores.This could mean that someone is deprived of opportunities based on the actions of others. In a different context using these types of characteristics might have the advantage of extending credit to those without a conventional credit history, who would otherwise have been denied.”
© Cloudera, Inc. All rights reserved.
WHERE DOES THAT LEAVE US?
© Cloudera, Inc. All rights reserved. 21
THE REGULATIONS
GDPR - ARTICLE 22The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
POPI - SECTION 71a data subject may not be subject to a decision which results in legal consequences for him, her or it, or which affects him, her or it to a substantial degree, which is based solely on the basis of the automated processing of personal information intended to provide a profile of such person
22 © Cloudera, Inc. All rights reserved.
THE DANGER ZONE
AUTOMATED DECISION MAKING
PROFILING!
© Cloudera, Inc. All rights reserved. 23
EXCEPTIONS
GDPR
(a) necessary for the performance of or entering into a contract;
(b) authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests; or(c) based on the data subject’s explicit consent.
POPI
(a) has been taken in connection with the conclusion or execution of a contract, and
(i) the request of the data subject in terms of the contract has been met; or
(ii) appropriate measures have been taken to protect the data subject’s legitimate interests; or
(b) is governed by a law or code of conduct in which appropriate measures are specified for protecting the legitimate interests of data subjects.
© Cloudera, Inc. All rights reserved.
WHEN REGULATIONS ARE INVOKED
© Cloudera, Inc. All rights reserved. 25
GDPR SCOPE
Articles 13-15the controller shall, at the time when personal data are obtained, provide the data subject . . . [in the case of] automated decision-making, including profiling, . . . meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
Recital 71... should be subject to suitable safeguards, which should include specific information to the data subject and the right to obtain human intervention, to express his or her point of view, to obtain an explanation of the decision reached after such assessment and to challenge the decision.
© Cloudera, Inc. All rights reserved. 26
POPI SCOPE
Section 71require a responsible party to provide a data subject with sufficient information about the underlying logic of the automated processing of the information relating to him or her to enable him or her to make representations in terms of paragraph (a).
© Cloudera, Inc. All rights reserved. 27
© Cloudera, Inc. All rights reserved. 28
TENSORFLOW
29 © Cloudera, Inc. All rights reserved.
VISUALLY EXPLAINING ALGORITHMS
30 © Cloudera, Inc. All rights reserved.
CLOUDERA FAST FORWARD LABS OFFERINGSReduce uncertainty by helping develop and implement an ML strategy
RESEARCH STRATEGY + ADVISING FEASIBILITY STUDIES
31 © Cloudera, Inc. All rights reserved.
32 © Cloudera, Inc. All rights reserved.
33 © Cloudera, Inc. All rights reserved.
INTERPRETABILITY OF LINEAR REGRESSION
34 © Cloudera, Inc. All rights reserved.
INTERPRETABILITY OF MORE COMPLEX MODELS
35 © Cloudera, Inc. All rights reserved.
INTERPRETABILITY OF MORE COMPLEX MODELS
36 © Cloudera, Inc. All rights reserved.
INTERPRETABILITY OF MORE COMPLEX MODELS
37 © Cloudera, Inc. All rights reserved.
INTERPRETABILITY TRADE-OFF
38 © Cloudera, Inc. All rights reserved.
WHITE BOX MODELS
39 © Cloudera, Inc. All rights reserved.
BLACK BOX MODELS
40 © Cloudera, Inc. All rights reserved.
LIME
LOCAL INTERPRETABLE MODEL-AGNOSTIC EXPLANATION
41 © Cloudera, Inc. All rights reserved.
WHY DOES THIS MATTER?
42 © Cloudera, Inc. All rights reserved.
LIME
LOCAL INTERPRETABLE MODEL-AGNOSTIC EXPLANATION
© Cloudera, Inc. All rights reserved. 43
DEMO
© Cloudera, Inc. All rights reserved.
THE RIGHT TO BE FORGOTTEN
© Cloudera, Inc. All rights reserved. 45
REGULATIONS
GDPRArticle 17The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
POPISection 24A data subject may, in the prescribed manner, request a responsible party to—(a) correct or delete personal information about the data subject in its possession or under its control that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading or obtained unlawfully;
© Cloudera, Inc. All rights reserved. 46
MODEL INVERSION ATTACK
© Cloudera, Inc. All rights reserved.
THANK YOU
© Cloudera, Inc. All rights reserved. 48
LINKS
[email protected]://www.gov.za/sites/www.gov.za/files/37067_26-11_Act4of2013ProtectionOfPersonalInfor_correct.pdfArticle 29 WPhttp://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2014/wp217_en.pdfGDPRhttps://gdpr-info.eu/Model Inversion Attackhttps://cs.cmu.edu/~mfredrik/papers/fjr2015ccs.pdf