Data Fusion Challenges Privacy: What Can Privacy Regulation Do?

This paper focuses on some shortcomings in current privacy and data protection regulations' ability to adequately address the ramifications of AI-driven data processing practices, in particular where data sets are combined and processed by AI systems. We raise attention to two regulatory anomalies related to two fundamental assumptions underlying traditional privacy and data protection approaches: (1) Only Personally Identifiable Information (PII) and Personal Data (PD) require privacy protection: Privacy and data protection regulations are only triggered with respect to PII/PD, but not anonymous data. This is not only problematic because determining whether data falls in the former or latter category is no longer straightforward, but also because privacy risks associated with data processing may exist whether or not an individual can be identified. (2) Given sufficient information provided in a transparent and understandable manner, individuals are able to adequately assess the privacy implications of their actions and protect their privacy interests: However, relying on human privacy expectations fails to address important privacy threats, because those expectations are at odds with the actual privacy implications of data processing practices, as most people lack the necessary technical literacy to understand the sophisticated technologies at play, and to correctly assess their privacy implications. To tackle these anomalies we recommend regulatory reform in two directions: (1) Abolishing the distinction between personal and anonymized data for the purposes of triggering the application of privacy and data protection regulations and (2) developing methods to prioritize regulatory intervention based on the level of privacy risk posed by individual data processing actions.