How Privacy Regulations Could Better Tackle Challenges Stemming from Combining Data Sets

Modern information and communication technology practices present novel threats to privacy. This paper focuses on some shortcomings in current privacy and data protection regulations' ability to adequately address the ramifications of some AI-driven data processing practices, in particular where data sets are combined and processed by AI systems. We raise attention to two regulatory anomalies related to two fundamental assumptions underlying traditional privacy and data protection approaches: (1) Only personally identifiable information (PII)/personal data require privacy protection: Privacy and data protection regulations are only triggered with respect to PII/personal data, but not anonymous data. This is not only problematic because determining whether data falls in the former or latter category is no longer straightforward, but also because privacy risks associated with data processing may exist whether or not an individual can be identified. (2) Given sufficient information provided in a transparent and understandable manner, individuals are able to adequately assess the privacy implications of their actions and protect their privacy interests: We show that this assumption corresponds to the current societal consensus on privacy protection. However, relying on human privacy expectations fails to address some important privacy threats, because those expectations are increasingly at odds with the actual privacy implications of data processing practices, as most people lack the necessary technical literacy to understand the sophisticated technologies at play, not to mention correctly assess their privacy implications.