Canada: Privacy and ethics : understanding the convergences and tensions for the responsible development of machine learning

https://sebastiengambs.openum.ca/privacy-and-ethics-understanding-the-convergences-and-tensions-for-the-responsible-development-of-machine-learning/

Report “Privacy and AI Ethics – Understanding the convergences and
tensions for the responsible development of machine learning

https://sebastiengambs.openum.ca/files/sites/82/2021/11/OPC_final.pdf

CANON – Canadian Anonymization Network

Website
https://deidentify.ca/

Report “Practices for Generating Non-identifiable Data” (March 2021)
https://deidentify.ca/wp-content/uploads/2021/08/CANON-OPC-Project-Final-Report-v9.pdf

The CANON website includes an excellent list of external resources at https://deidentify.ca/resources/, including

Standards Bodies

Regulators / Government

Canada

Europe

  • Ireland Data Protection Commission – Guidance on Anonymisation and Pseudonymisation – June 2019
  • (German only) Germany Federal Ministry for Economic Affairs and Industry – Code of Conduct for Pseudonymization – 2019
  • European Medicines Agency – External guidance on the implementation of the European Medicines Agency policy on the publication of clinical data for medicinal products for human use – November 2018
  • (Spanish only) Spain Spanish Agency for Data Protection (AEPD) – Guidance and guarantees in the procedures on anonymization of personal data – 2016
  • Asia-Pacific

    United States

    NGOs, Not-for-Profit Organizations, etc.

    Canada

    United States

  • Future of Privacy Forum – A Visual Guide to Practical De-identification – April 2016
  • EDUCAUSE – Guidelines for Data De-identification or Anonymization – July 2015
  • National Academy of Medicine (formerly Institute of Medicine) Sharing Clinical Trial Data: Maximizing Benefits, Minimizing Risk – January 2015
  • Health Information Trust Alliance (HITRUST) – De-Identification Framework – March 2015
  • Europe

    Asia-Pacific

    Global

    • World Bank / International Household Survey Network – Statistical Disclosure Control for Microdata – A Practice Guide | A Theory Guide – October 2019

    CCC RC3: Listen to Your Heart: Security and Privacy of Implantable Cardio Foo

    https://media.ccc.de/v/rc3-2021-cwtv-272-listen-to-your-heart-s
    (see also: https://media.ccc.de/c/rc3-2021 )

    Starts with the usual security analysis of three devices by three manufacturers
    – then the talk pivots to the responses to GDPR requests (information, data portability) by actual patients from the data controllers

    Talk then closes with an anaylysis on how DSR requests were managed, which communication channels have been used, etc

    EDPB Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR

    EDPB Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR

    Adopted on 18 November 2021

    https://edpb.europa.eu/system/files/2021-11/edpb_guidelinesinterplaychapterv_article3_adopted_en.pdf

    includes:

    Example 3: Processor in the EU sends data back to its controller in a third country
    XYZ Inc., a controller without an EU establishment, sends personal data of its employees/customers, all of them non-EU residents, to the processor ABC Ltd. for processing in the EU, on behalf of XYZ. ABC re-transmits the data to XYZ. The processing performed by ABC, the processor, is covered by the GDPR for processor specific obligations pursuant to Article 3(1), since ABC is established in the EU. Since XYZ is a controller in a third country, the disclosure of data from ABC to XYZ is regarded as a transfer of personal data and therefore Chapter V applies.

    [..]

    Example 5: Employee of a controller in the EU travels to a third country on a business trip
    George, employee of A, a company based in Poland, travels to India for a meeting. During his stay in India, George turns on his computer and accesses remotely personal data on his company’s databases to finish a memo. This remote access of personal data from a third country, does not qualify as a transfer of personal data, since George is not another controller, but an employee, and thus an integral part of the controller (company A). Therefore, the disclosure is carried out within the same controller (A). The processing, including the remote access and the processing activities carried out by George after the access, are performed by the Polish company, i.e. a controller established in the Union subject to Article 3(1) of the GDPR.

    [..]

    Example 6: A subsidiary (controller) in the EU shares data with its parent company (processor) in a third country
    The Irish Company A, which is a subsidiary of the U.S. parent Company B, discloses personal data of its employees to Company B to be stored in a centralized HR database by the parent company in the U.S. In this case the Irish Company A processes (and discloses) the data in its capacity of employer and hence as a controller, while the parent company is a processor. Company A is subject to the GDPR pursuant to Article 3(1) for this processing and Company B is situated in a third country. The disclosure therefore qualifies as a transfer to a third country within the meaning of Chapter V of the GDPR.

    [..]

    Example 7: Processor in the EU sends data back to its controller in a third country
    Company A, a controller without an EU establishment, offers goods and services to the EU market. The French company B, is processing personal data on behalf of company A. B re-transmits the data to A. The processing performed by the processor B is covered by the GDPR for processor specific obligations pursuant to Article 3(1), since it takes place in the context of the activities of its establishment in the EU. The processing performed by A is also covered by the GDPR, since Article 3(2) applies to A. However, since A is in a third country, the disclosure of data from B to A is regarded as a transfer to a third country and therefore Chapter V applies.

    IPEN webinar 2021: “Pseudonymous data: processing personal data while mitigating risks”

    Material from IPEN webinar 2021: “Pseudonymous data: processing personal data while mitigating risks” – with recorded videos etc..
    https://edps.europa.eu/ipen-webinar-2021-pseudonymous-data-processing-personal-data-while-mitigating-risks_en

    including e.g.

    DATENTAG ONLINE: DATENSCHUTZ UND KÜNSTLICHE INTELLIGENZ

    Stiftung Datenschutz, 13 Dec 2021

    https://stiftungdatenschutz.org/veranstaltungen/unsere-veranstaltungen-detailansicht/datentag-datenschutz-und-kuenstliche-intelligenz-239

    includes

    (artificial intelligence, ai)