Categories: Artificial Intelligence, Privacy

Moving from Access Control to Use Control

Bringing Privacy Regulation into an AI World, Part 5: Moving from Access Control to Use Control

This seven-part series explores, from a Canadian perspective, options for effective privacy regulation in an AI context.

As I have discussed in previous posts, access control has long been the key safeguard for protecting our personal information. Access control is generally effective in preventing unauthorized access to personal data. It is much less effective in preventing the unauthorized use of personal data by those with authorized access. Privacy laws require that the organizations use and share personal data only for specified purposes to which data subjects have consented; yet AI systems are not designed to enforce these limits. I would like to outline a new concept of use control: a way of designing AI systems so that personal data can be used only for specified purposes.

Simply put, use control allows individuals to regulate the ways their data is accessed and used. Access control systems cannot tell customers how businesses use their personal data, with whom they share it, or for what purpose. However, a use control model could bring data analytics in line with legal privacy requirements by allowing consumers to take charge of the ways their information is used.

I would like to outline a new concept of use control: a way of designing AI systems so that personal data can be used only for specified purposes.

Let’s imagine that the privacy policy of a loyalty program Susan is joining includes four or five check boxes, allowing her to fine-tune how her data could be used for market research. The options could look something like this:

While a data protection approach based solely on access control allows only the binary choice of opting in or opting out of data collection, use control offers a much more sophisticated range of responses. The reality is that most shoppers do want to opt in, but they don’t want to give up their right to privacy by doing so. They also want some control over how their data is to be used, and systems can be designed to support this. In my next post, I will discuss how use control can be implemented in AI systems.

Article info



Leave a Reply