Legal Tech News Review Week 17-23 August 2020, by Eleni Kozari

NIST published draft publication for “explainable AI”


Acknowledging the constantly increasing making-decision-role of Artificial Intelligence, the U.S National Institute of Standards and Technology issued a draft publication, delineating four principles by which the explainability of AI’s decisions can be judged and evaluated.


The Institute aims to trigger a dialogue with all the interested stakeholders, regarding the (social) expectations vis-à-vis those AI systems with making-decision capabilities. In order to empower trust upon such applications and systems, a deeper understanding of their limitations and potential is crucial. In addition, the accuracy, security and explainability of such systems should be enhanced as well.


To this end, according to the authors of the publication: a. AI systems should demonstrate accompanying evidence or reasons for all their outputs, b. The explanations they provide should be meaningful or understandable to individual users, c. Such explanations should accurately and properly reflect the process of the system, pursuant to which the output was generated, d. The system should operate only under the conditions for which it was designed and when it has insufficient confidence in its decision, it should not deliver the decision to the user.


Although individual users can deploy different criteria in order to judge the success of an AI system’s explainability pursuant to the foregoing principles, the authors content that the awareness of these double standards can be beneficial in the long term. Comments to the draft publication can be submitted until 15, October.

See more here


Canada’s Privacy Commissioner issued guidelines for IoT manufacturers


The Office of the Privacy Commissioner of Canada (OPC) issued guidelines including privacy principles, compliance measures and compliance checklist that concern every company involved in the production and design of IoT devices as well as those charged with monitoring the legal compliance of such devices.


The guidelines have been formulated based on the provisions of Canada’s federal private-sector privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA). On top of that, the guidelines provide best practices in order to empower companies’ privacy management programs.


Pursuant to PIPEDA personal information is defined as “information about an identifiable individual”. Hence, the guidelines clarify that in the context of the IoT ecosystem, IoT devices can collect information about individuals’ behaviour, heart rate, voice and facial recordings, location, movements as well as energy usage and temperature in homes. Accordingly, the sensitive nature of the collected information can vary.

To this end, the guidelines clarify how the principle of accountability and design for privacy can apply in the IoT ecosystem. In addition, they underline that the involved stakeholders should clarify the intended purposes before the collection of information takes place while they should ensure that their personal information handling practices are transparent. The latter is also important in the context of the ‘meaningful consent’, that organisations should obtain, pursuant to PIPEDA.


On top of that the guidelines recommend that the devices should be designed in such manner that limit the collection of information. In addition, organisations should ensure that consumers are aware of and provided with means in order to exercise their rights, including the right to challenge the accuracy of their information. Finally, appropriate physical, organisational and technological safeguards are mandated.



See more here




European Privacy Campaign Group has filed complaints against 101 websites regarding post-Schrems II data transfers


Following the striking down of the Privacy Shield by the CJEU earlier this summer, a European privacy campaign group (noyb), has filed complaints against 101 websites which are sending data to the US through Google Analytics and Facebook Connect.


The websites include e-commerce entities, telecommunications companies, ISPs and banks that still deploy Google Analytics and Facebook Connect, albeit both companies fall under US surveillance laws.


According to the Campaign Group, those companies do not have a legal basis for such data transfers while Google claims to still rely on the Privacy Shield, event after its invalidation. Hence, the Group has proceeded with filing complaints against the websites while both the Irish DPC and the French CNIL have confirmed that they received complaints from the Group. To this end, the CNIL recommends that a common approach is needed as regards the implementation of the Schrems II decision.


See more here


US Federal Court approved Facebook’s settlement of $650 million regarding BIPA case


Facebook’s settlement ($650 million) regarding the lawsuit for violations of the Illinois’ Biometric Information Privacy Act (BIPA), has received preliminary approval. The case concerned the ‘Tag Suggestions’ feature of Facebook which enabled users to recognise their Facebook friends by previously uploaded photos, due to facial recognition technology, without the friends’ consent. According to Illinois users, the company has violated the BIPA provisions, since it unlawfully collected and processed biometric data without the users’ consent.


Although Facebook had initially offered $100 million as a settlement offer, in July the Company raised the amount up to $650 million. Hence, the Court has proceeded with a preliminary approval of the class action settlement. The final hearing will take place on 7 January 2021.

See more here