Feb 27, 2020 · post

Privacy, data governance, and machine learning: the regulatory perspective

Why do privacy and governance matter?

Data privacy has been a common conversation topic among the general public since the Cambridge Analytica scandal in 2018. The data “breach,” in which user information was hoovered up through a Facebook quiz and subsequently misrepresented as being used for academic purposes, resulted in over $5 billion in fines for Facebook. However, Facebook’s infringements were, in fact, relatively narrow in scope (though nonetheless egregious) compared to the growing remit of privacy law. Enterprises with wide-spanning data practices should be wary when establishing data-gathering practices, particularly those practices which are covered by the California Consumer Protection Act (CCPA) and EU General Data Protection Regulation (GDPR).

Companies have already begun complying with these regulations, primarily in the form of updated privacy notices. However, precedence has yet to be set around how data governance (oversight of data flows both within and outside the company) is treated in this process. This article will deal with this intersection, and how it pertains to machine learning operations.

Image credit: Photo by Markus Spiske on Unsplash

What laws are actually on the books? What are their implications to my business?

The new laws that directly pertain to company data usage are most prominently the GDPR and CCPA. Let’s talk about each of them at a high level.

The GDPR requires companies that “process” (a purposefully broad term that covers just about anything you can do with data: collection, storage, transmission, analysis, etc.) any personal data of EU citizens must comply with a 19-point checklist. One point on this checklist states: “it’s easy for customers to request and receive all the information you have about them.”

The CCPA mandate applies to any for-profit entity that collects consumers’ personal data, which does business in California, and satisfies at least one of the following thresholds: a) has annual gross revenues in excess of $25 million; b) buys or sells the personal information of 50,000 or more consumers or households; or c) earns more than half of its annual revenue from selling consumers’ personal information. This law stipulates, among other requirements, that consumers have the “right to know what personal information a business holds about a consumer and whether the business sells or discloses personal information to third parties.”

One way to facilitate compliance would be to build a comprehensive data model, which lists viewing, editing, and administrative rights over data repositories. This data model would necessarily extend to all data-collecting and data-maintaining operations that an enterprise is pursuing.

Does my machine learning algorithm fall under this law?

In a word, yes. Each of the regulations approach the topic differently:

The GDPR is much more exacting when it comes to setting standards for machine learning. Not only does it require companies to divulge all instances in which a customer’s data is sold and processed, but it also states the consumer’s “right to an explanation.” This notion of an explanation has yet to be determined; it is currently being hotly debated by legal scholars. At the very least, it grants individuals “information about the existence of automated decision-making and about ‘system functionality,’ but no explanation about the rationale of a decision.” In other words, consumers will be informed if their, say, credit decision was the result of an algorithm, but not the individual variables that contributed most to the decision.

The CCPA mostly focuses on consumer sovereignty around their data, whether that includes the sale, deletion, or correction of their personal data. One potential machine learning-related highlight of the legislation - full text here - includes the ban of any sort of price discrimination based on data: “A business shall not discriminate against a consumer because the consumer exercised any of the consumer’s rights under this title, including by charging different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties.” This sort of outcome could potentially be fostered unintentionally through a pricing model or inventory optimization algorithm. Lawyers are still debating the finer implications of the legislation, which was written with the goal of being modified in the future. Still, companies are still pursuing compliance activity regardless.

Compliance, in terms of data governance, starts with a well-built data model. This model should ideally cover not just the “golden record,” but should also include how the golden record is being applied within business operations. For example, a telecommunications company may rely on an algorithm to predict customer churn. Normally, data models only extend to the golden record. However, for governance purposes, it is necessary to ensure that this usage is captured. More importantly, if a customer orders that their data is deleted, governance architects need to know exactly where data needs to be deleted, including within internal business-side operations. This includes machine learning algorithms, and companies can be held liable for this.

Data governance and privacy: past, present, and future

Privacy law and ethics stretches back to the 1600s in the United States, when Governor William Bradford opened mail flowing between the US colonies and England to monitor insurrectionary forces in the Massachusetts Bay Colony. The Townshend Acts of 1768 allowed British tax agents to search colonist homes, and served as the motivation behind the Fourth Amendment within the Bill of Rights, which laid out the definition of a lawful search. Since then, innovations within postal services, telecommunications, and law enforcement have provoked conversations over what level of government snooping ought to be considered an overreach. However, these days, private institutions (as opposed to governments) are coming under the popular/regulatory microscope.

Regulators are beginning to take action to ensure a fair market and prevent market externalities. Companies like Facebook are now being observed to ensure the prevention of undue snooping. While consumers will emerge with more power, the laws in place have been structured so as to be quickly adaptable to technological change. Innovation within location, natural language, or health data analysis will necessarily compel further regulation. District/state attorneys across the nation are building up technical resources in order to build case precedence. In order to ensure compliance, companies are best served by improving their governance techniques. Software solutions such as SAP and Informatica will only go part way in achieving this level of compliance; human capital and change management best practices must also keep up with these changes.

The laws above have pressing implications for data governance practices, as well as activities peripheral to the governance function (e.g., AI & machine learning, automation, business intelligence). Data governance, before these laws were implemented, was primarily tied to core IT operations. However, with the advent of machine learning integration to corporate strategy, governance should now gradually be thought of as a strategic, legal, and technical function. Moreover, it is important for data governance to be conducted on a continual, iterative basis as data is generated in new and evolving ways. All traces of a data point, upon request of a consumer, need to be retrievable at the drop of a hat; thus, a hashing methodology will need to be built to facilitate this capability.

Will the government actually enforce these rules?

Yes and yes.

Read more

Apr 1, 2020 · post
Feb 20, 2020 · post

Latest posts

Nov 15, 2022 · newsletter

CFFL November Newsletter

November 2022 Perhaps November conjures thoughts of holiday feasts and festivities, but for us, it’s the perfect time to chew the fat about machine learning! Make room on your plate for a peek behind the scenes into our current research on harnessing synthetic image generation to improve classification tasks. And, as usual, we reflect on our favorite reads of the month. New Research! In the first half of this year, we focused on natural language processing with our Text Style Transfer blog series. more
Nov 14, 2022 · post

Implementing CycleGAN

by Michael Gallaspy · Introduction This post documents the first part of a research effort to quantify the impact of synthetic data augmentation in training a deep learning model for detecting manufacturing defects on steel surfaces. We chose to generate synthetic data using CycleGAN,1 an architecture involving several networks that jointly learn a mapping between two image domains from unpaired examples (I’ll elaborate below). Research from recent years has demonstrated improvement on tasks like defect detection2 and image segmentation3 by augmenting real image data sets with synthetic data, since deep learning algorithms require massive amounts of data, and data collection can easily become a bottleneck. more
Oct 20, 2022 · newsletter

CFFL October Newsletter

October 2022 We’ve got another action-packed newsletter for October! Highlights this month include the re-release of a classic CFFL research report, an example-heavy tutorial on Dask for distributed ML, and our picks for the best reads of the month. Open Data Science Conference Cloudera Fast Forward Labs will be at ODSC West near San Fransisco on November 1st-3rd, 2022! If you’ll be in the Bay Area, don’t miss Andrew and Melanie who will be presenting our recent research on Neutralizing Subjectivity Bias with HuggingFace Transformers. more
Sep 21, 2022 · newsletter

CFFL September Newsletter

September 2022 Welcome to the September edition of the Cloudera Fast Forward Labs newsletter. This month we’re talking about ethics and we have all kinds of goodies to share including the final installment of our Text Style Transfer series and a couple of offerings from our newest research engineer. Throw in some choice must-reads and an ASR demo, and you’ve got yourself an action-packed newsletter! New Research! Ethical Considerations When Designing an NLG System In the final post of our blog series on Text Style Transfer, we discuss some ethical considerations when working with natural language generation systems, and describe the design of our prototype application: Exploring Intelligent Writing Assistance. more
Sep 8, 2022 · post

Thought experiment: Human-centric machine learning for comic book creation

by Michael Gallaspy · This post has a companion piece: Ethics Sheet for AI-assisted Comic Book Art Generation I want to make a comic book. Actually, I want to make tools for making comic books. See, the problem is, I can’t draw too good. I mean, I’m working on it. Check out these self portraits drawn 6 months apart: Left: “Sad Face”. February 2022. Right: “Eyyyy”. August 2022. But I have a long way to go until my illustrations would be considered professional quality, notwithstanding the time it would take me to develop the many other skills needed for making comic books. more
Aug 18, 2022 · newsletter

CFFL August Newsletter

August 2022 Welcome to the August edition of the Cloudera Fast Forward Labs newsletter. This month we’re thrilled to introduce a new member of the FFL team, share TWO new applied machine learning prototypes we’ve built, and, as always, offer up some intriguing reads. New Research Engineer! If you’re a regular reader of our newsletter, you likely noticed that we’ve been searching for new research engineers to join the Cloudera Fast Forward Labs team. more

Popular posts

Oct 30, 2019 · newsletter
Exciting Applications of Graph Neural Networks
Nov 14, 2018 · post
Federated learning: distributed machine learning with data locality and privacy
Apr 10, 2018 · post
PyTorch for Recommenders 101
Oct 4, 2017 · post
First Look: Using Three.js for 2D Data Visualization
Aug 22, 2016 · whitepaper
Under the Hood of the Variational Autoencoder (in Prose and Code)
Feb 24, 2016 · post
"Hello world" in Keras (or, Scikit-learn versus Keras)


In-depth guides to specific machine learning capabilities


Machine learning prototypes and interactive notebooks

ASR with Whisper

Explore the capabilities of OpenAI's Whisper for automatic speech recognition by creating your own voice recordings!


A usable library for question answering on large datasets.

Explain BERT for Question Answering Models

Tensorflow 2.0 notebook to explain and visualize a HuggingFace BERT for Question Answering model.

NLP for Question Answering

Ongoing posts and code documenting the process of building a question answering model.

Cloudera Fast Forward Labs

Making the recently possible useful.

Cloudera Fast Forward Labs is an applied machine learning research group. Our mission is to empower enterprise data science practitioners to apply emergent academic research to production machine learning use cases in practical and socially responsible ways, while also driving innovation through the Cloudera ecosystem. Our team brings thoughtful, creative, and diverse perspectives to deeply researched work. In this way, we strive to help organizations make the most of their ML investment as well as educate and inspire the broader machine learning and data science community.

Cloudera   Blog   Twitter

©2022 Cloudera, Inc. All rights reserved.