Moving from Access Control to Use Control

Bringing Privacy Regulation into an AI World, Part 5

This seven-part series explores, from a Canadian perspective, options for effective privacy regulation in an AI context.

As I have discussed in previous posts, access control has long been the key safeguard for protecting our personal information. Access control is generally effective in preventing unauthorized access to personal data. It is much less effective in preventing the unauthorized use of personal data by those with authorized access. Privacy laws require that the organizations use and share personal data only for specified purposes to which data subjects have consented; yet AI systems are not designed to enforce these limits. I would like to outline a new concept of use control: a way of designing AI systems so that personal data can be used only for specified purposes.

Simply put, use control allows individuals to regulate the ways their data is accessed and used. Access control systems cannot tell customers how businesses use their personal data, with whom they share it, or for what purpose. However, a use control model could bring data analytics in line with legal privacy requirements by allowing consumers to take charge of the ways their information is used.

I would like to outline a new concept of use control: a way of designing AI systems so that personal data can be used only for specified purposes.

Let’s imagine that the privacy policy of a loyalty program Susan is joining includes four or five check boxes, allowing her to fine-tune how her data could be used for market research. The options could look something like this:

  • My identifying information can be used. (This would include your name and address, and shopping history. It will allow us to send you personalized offers and discounts.)
  • My sales data (purchases, amounts, and locations) can be shared with our partner organization (Aeroplan).
  • My anonymized identifying information can be used. (This will help us improve our products and services.)
  • My derivative data can be used. (Your anonymous purchasing patterns will help us analyse what our customers like and what could be improved on.)
  • My personal, anonymized spending patterns can be analysed as part of aggregated data. (By understanding purchase volumes per month, or year over year, we can predict client purchase patterns and hence better stock our stores.)
  • None of my data can be used. (This will affect our ability to send you discount coupons for your favourite products.)

While a data protection approach based solely on access control allows only the binary choice of opting in or opting out of data collection, use control offers a much more sophisticated range of responses. The reality is that most shoppers do want to opt in, but they don’t want to give up their right to privacy by doing so. They also want some control over how their data is to be used, and systems can be designed to support this. In my next post, I will discuss how use control can be implemented in AI systems.

Bringing Privacy Regulation into an AI World:

PART ONE: Do We Need to Legislate AI?

PART TWO: Is AI Compatible with Privacy Principles?

PART THREE: Big data’s big privacy leak – metadata and data lakes 

PART FOUR: Access control in a big data context 

PART FIVE: Moving from access control to use control 

PART SIX: Implementing use control – the next generation of data protection 

PART SEVEN: Why Canadian privacy enforcement needs teeth