Author: stefan

https://datamatters.sidley.com/european-commission-publishes-details-of-its-forthcoming-data-act

https://datenrecht.ch/neue-scc-arbeitsmaterialien/

#switzerland

The EDoeB has published an updated web site at https://www.edoeb.admin.ch/edoeb/de/home/datenschutz/handel-und-wirtschaft/uebermittlung-ins-ausland.html#-2053327153

Excellent summary at:
https://datenrecht.ch/edoeb-leitfaden-fuer-die-datenuebermittlung-ins-ausland-aktualisiert/

The Swiss approach is described in the PDF at https://www.edoeb.admin.ch/dam/edoeb/de/dokumente/2021/Anleitung%20f%C3%BCr%20die%20Pr%C3%BCfung%20von%20Daten%C3%BCbermittlungen%20mit%20Auslandbezug%20DE.pdf.download.pdf/Anleitung%20f%C3%BCr%20die%20Pr%C3%BCfung%20von%20Daten%C3%BCbermittlungen%20mit%20Auslandbezug%20DE.pdf

#Switzerland

Link to workshop with slides and videos:
https://edps.europa.eu/data-protection/our-work/ipen/ipen-webinar-2021-synthetic-data-what-use-cases-privacy-enhancing_en

A few gems:

• “Experiences Implementing Data Synthesis in a Global Life Sciences Company” (by Stephen Bamford, Janssen R&D)
  • Slides: https://edps.europa.eu/system/files/2021-06/01_stephen_bamford_en_0.pdf
  • Video: https://edps.europa.eu/press-publications/press-news/videos/ipen-2021-synthetic-data-stephen-bamford_en
• “Synthesis: A Tool for Responsible Data Sharing” (by Prof. Khaled El Emam, Ottawa University)
• Slides: https://edps.europa.eu/system/files/2021-06/02_khaled_el_emam_en.pptx
• Video: https://edps.europa.eu/press-publications/press-news/videos/ipen-2021-synthetic-data-khaled-el-emam_en
• Synthetic data as a privacy enhancing technology and the GDPR (Panel & Q/A)
  • Video: https://edps.europa.eu/press-publications/press-news/videos/ipen-2021-synthetic-data-dara-hallinan-and-kelsey-finch_en

Unsorted links from chat

• https://edps.europa.eu/press-publications/press-news/blog/inviting-new-perspectives-data-protection_en
• https://blog.deeplearning.ai/blog/the-batch-ai-researchers-under-fire-rl-agents-in-danger-bias-in-synthetic-data-one-neuron-to-rule-them-all
• https://arxiv.org/abs/2011.03731
• https://arxiv.org/abs/2012.07805
• https://www.jmir.org/2020/11/e23139
• Replica Analytics’ elaboration and opinion on synthetic data’s anonymity: https://www.replica-analytics.com/web/default/files/public/tutorials/privacy-law-and-synthetic-data/presentation_html5.html
• https://arxiv.org/pdf/2011.07018.pdf
• https://www.sciencedirect.com/science/article/pii/S0267364918300153
• Anonymised Data and the Rule of Law, Daniel Groos and Evert-Ben van Veen https://edpl.lexxion.eu/data/article/16563/pdf/edpl_2020_04-007.pdf
• https://arxiv.org/pdf/2101.04535.pdf
• https://iapp.org/news/a/does-anonymization-or-de-identification-require-consent-under-the-gdpr/

Various statements from chat

Of course, there are things to consider and, for example in 2019 there was an array of papers criticizing that differential privacy in general can re-inforce biases: “But it turns out that in reality the matter is actually much more complicated, as pointed out by latest research highlighting an inherent relationship between privacy and fairness. In fact, it becomes apparent that guaranteeing fairness under differentially private AI model training is impossible when one wants to maintain high accuracy. Such incompatibility of data privacy and fairness would have significant consequences. With respect to the potential of unfairness of some of the standard deep learning models, when it comes to fairness, the current differentially private learning methods fare even worse, reinforcing the biases and being even less fair to a great degree. Results like that should not exactly come as a surprise to implementers and deployers of the technology. Hiding data of small groups is actually among the features of differential privacy. In other words, it is not a bug but a feature of differential privacy. However, this feature leading to decrease of precision might not be something desirable in all use cases.” (Source (with link to papers): https://edps.europa.eu/press-publications/press-news/blog/inviting-new-perspectives-data-protection_en

But fairness AND privacy most certainly are possible. And when we look at synthetic data in particular, there were some promising presentations and talks about fair synthetic data generation at this year’s ICLR conference (e.g. by Amazon) https://www.jmir.org/2020/11/e23139

As might be expected, the speakers’ company gives an elaboration and opinion on synthetic data’s anonymity: https://www.replica-analytics.com/web/default/files/public/tutorials/privacy-law-and-synthetic-data/presentation_html5.html

I am a bit surprised by the references. This talk seems to ignore a vast literature on synthetic data (including an advanced analyses of privacy risks), e.g., https://arxiv.org/pdf/2011.07018.pdf ?

It is really important you can quantitatively measure the re-identification risk at the output level. Otherwise, there is going to be a lack of confidence that identifiability issues have been truly addressed. lt could be open to abuse if not done properly (i.e. claims that it is not personal data when it in fact it is personal data). Done well -it has great value for certain use cases.

totally agree that when epsilon is large, the formal DP guarantee is basically meaningless. That said, two comments: a) you always have to use enough noise so that the epsilon is small, b) sometimes the actual privacy DP gives is stronger in practical attack scenarios, see https://arxiv.org/pdf/2101.04535.pdf

Does de-identification require consent under the GDPR and English common law? authored by Khaled el Emam, Mike Hintze and Ruth Boardman
https://iapp.org/news/a/does-anonymization-or-de-identification-require-consent-under-the-gdpr/ also “Does de-identification require consent under the GDPR and English common law?, Authors: El Emam, Khaled 1 ; Hintze, Mike 2 ; Boardman, Ruth 3 ;Source: Journal of Data Protection & Privacy, Volume 3 / Number 3 / Summer 2020, pp. 291-298(8), Publisher: Henry Stewart Publications, https://www.ingentaconnect.com/content/hsp/jdpp/2020/00000003/00000003/art00007

Company: www.intuite.ai

Company: statice

https://www.heise.de/hintergrund/Wie-synthetische-Datensaetze-KI-Systeme-verbessern-sollen-6071301.html

Really good resource with many useful and free working aides, including

DPIA example (hospital information system)
https://gesundheitsdatenschutz.org/html/dsfa-beispiel.php with DPIA, also Risk matrix (but fails to mention patient impact)

On Anonymization and Pseudonymization
https://gesundheitsdatenschutz.org/html/pseudonymisierung_anonymisierung.php

On dealing with Schrems II
https://gesundheitsdatenschutz.org/html/schrems_ii.php

Remote Support for medical IT systems (Anforderungen an die (Fern) Wartung medizinischer IT-Systeme)
https://gesundheitsdatenschutz.org/html/fernwartung.php

Exchange of health data (Austausch von Gesundheitsdaten – Datenschutzrechtliche Anforderungen an Datenaustauschplattformen im Gesundheitswesen)
https://gesundheitsdatenschutz.org/html/austauschplattformen.php

Guide to a Data Protection Concept (Leitfaden zur Erstellung eines Datenschutzkonzeptes)
https://gesundheitsdatenschutz.org/html/datenschutzkonzept.php

Guide to a Security Concept(Leitfaden zur Erstellung eines IT-Sicherheitskonzeptes)
https://gesundheitsdatenschutz.org/html/itsicherheitskonzept.php

Guide to a Data Deletion/Data Retention Concept (Leitfaden für die Erstellung von Löschkonzepten im Gesundheitswesen)
https://gesundheitsdatenschutz.org/html/loeschkonzept.php

Guide to monitoring and logging, audit trails (Praxishilfe zur Protokollierung und zur Erstellung von Protokollierungskonzepten im Gesundheitswesen)
https://gesundheitsdatenschutz.org/html/protokollierungskonzept.php

Medical research (Medizinische Forschung unter der DS-GVO)
https://gesundheitsdatenschutz.org/html/forschung.php

Clinical registries (Klinische Register und Datenschutz)
https://gesundheitsdatenschutz.org/html/klin_register.php

Clinical studies (Datenschutz bei Klinischen Studien)
https://gesundheitsdatenschutz.org/html/klin_studien.php

Checklists and templates
https://gesundheitsdatenschutz.org/html/muster_checklisten.php

Working aides (Praxishilfen)
https://gesundheitsdatenschutz.org/html/praxishilfen_01.php
A massive list of links .. e.g. for data protection impact assessments!

From Lindqvist to Schrems II: case law of the CJEU on transfers of personal data to third countries

https://edps.europa.eu/data-protection/our-work/publications/court-cases/case-law-digest-2021-transfers-personal-data_en

https://yoda.yale.edu/sites/default/files/nct02136134_54767414mmy3004_datarecipientreport.pdf

https://uwe-repository.worktribe.com/OutputFile/2888548

New set of Standard Data Protection Clauses (SCC) for international data transfers allowing businesses to transfer personal data to non-EU countries!

Standard contractual clauses for controllers and processors(incl. SCC in Annex)
https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32021D0914&qid=1623992991516&from=EN#d1e32-37-1

Standard contractual clauses for international transfers
https://ec.europa.eu/info/law/law-topic/data-protection/publications/standard-contractual-clauses-international-transfers

The 2020 GDPR evaluation report
https://ec.europa.eu/info/law/law-topic/data-protection/communication-two-years-application-general-data-protection-regulation_en

“These texts are final working documents. The only official text will be the one that will be published in the Official Journal in the coming days. ”

—
Commentaries

• CR-online.de Blog: The new Standard Contractual Clauses – A deeper dive
  • https://www.cr-online.de/blog/2021/06/21/the-new-standard-contractual-clauses-a-deeper-dive/
• Two Birds
  • https://www.twobirds.com/en/news/articles/2021/uk/replacement-standard-contractual-clauses
• https://nc.sym.de/s/oSjoYf5WgwQbAJX

Tools:

• Taylor Wessing – SCC generator: https://www.taylorwessing.com/de/online-services/scc-generator