The privacy preserving approach of MARCONI
We describe below how MARCONI addresses privacy issues concerning interactive radio broadcasting. A brief outline on each topic facilitates the understanding of (user) privacy related operation and risk mitigation effort.
Introduction
Not only radio, but any digital media broadcast strives towards individual user engagement and personalisation of not only advertisements but also content. This has been a trend since the 1990s but nowadays, in the digital age, the industry is in need of a platform for communication and personalisation. This has been developed within MARCONI as a unified backend that enables a broadcaster to use a managing application for the editorial team and a presenter with plug-ins such as integrating indexing, personalisation, interaction and clustering services while at the same time emphasizing data protection compliance. The required data may be collected through three major applications: users may engage the radio station through a webpage, a smartphone app or a chatbot implementation designed for the platform of their choice (i.e. Facebook Messenger API). University of Vienna has advised the MARCONI consortium on related privacy issues arising concerning the selection of legal basis, the general conduct of processing activities, data protection principles as well as compliance to information provisions in data protection legislation.
Data Protection as the Central Issue
Since the European data protection framework provided by the General Data Protection Regulation (GDPR) applies to the processing of personal data by either a controller or processor with an establishment in the European Union or if the processing concerns a natural person in the European Union.
Processing of “personal data”, is defined as “any information relating to an identified or identifiable natural person”. As data should be considered personal data even if additional information is needed to identify the data subject (provided that the means are “reasonably likely to be used”) the GDPR compliance is a hurdle in designing a personal radio broadcasting architecture such as MARCONI.
The envisioned processing activities could lawfully be conducted on various grounds of processing under the GDPR. In order to establish a transparent system with the highest informational self-determination to the fullest, a system based on free and informed consent of the data subject has been recommended.
MARCONI Services
MARCONI allows the user to determine in how far the offered services should individualise their radio experience. The offered services include the following:
Conversational Services
These include all services that are required to facilitate basic interaction between the user and the radio manager and/or a chatbot. Through the service RadioManager users are able to receive information on broadcasts. Users can also interact with a chatbot and a conversation service that asks them about their privacy preferences. The chatbot service uses the program chatlayer which provides a conversational experience for the user via response generation. The chatbot can, for example, automatically respond to questions and statements of a user regarding the program and other related issues.
Most of these services and their underlying processing activities are necessary to facilitate the basic functionality of MARCONI. In these cases, it would also be possible to either rely on the legal bases of Art. 6(1)(b) GDPR (“performance of a contract”) and – where this is not the case – Art. 6(1)(f) GDPR (“legitimate interests”) as an alternative to the consent of the data subject according to Art 6(1)(a) GDPR. This may depend on the final configuration of the product. Neither would however relieve the controller from their obligation to provide information and access to personal data to the user (data subject) according to Art. 13 and 14 GDPR.
Indexing Services
To enable radio editors as well as DJs to search through conversations, senders, recipients or timelines, all of processed data is indexed before it is stored in a data container. Indexing items based on textual description facilitates the search for media items such as photos and videos.
These processing activities include the indexing of social media posts and communication messages, the extracting and creating metadata (location markers, time) out of conversations or social media posts. In addition, face detection, geotag extraction, named entity recognition, topic detection and classification (i.e. sentiment analysis) are offered.
A data protection impact assessment should be considered (Art. 35 GDPR) concerning new and potentially intrusive measures such as sentiment analysis out of conversations or social media posts within the indexing service, if the result of this analysis includes special categories of personal data.
Regarding these processing activities, the University of Vienna suggested to get explicit consent from the data subject. This can be achieved using the chatbot and employing the conversational service itself to present and ask for consent. The user will therefore be fully aware of the contents and can affirm in a natural and user-friendly manner.
Social Media Analysis
To gain insight into how social media presence of the radio station impacts the respective environment the MARCONI structure offers services for the controller like content reach analysis, inference analysis and analysis of audience responsiveness. This can be conducted via the analysis of hashtags used on social media or views on YouTube videos in certain timeframes. The output of this analysis contains reach statistics and influence scores.
Content reach analysis, inference analysis and analysis of audience responsiveness are subject to special rules under Art. 5(1)(b)&(e), 89(1) GDPR and may therefore generally be conducted based on legitimate interest since the outcome of the processing activity is aggregated data wherein the individual cannot be reidentified. Art. 89(1) GDPR requires special safeguards to ensure that technical and organisational measures are in place in particular in order to ensure respect for the principle of data minimisation. Art. 89(1) GDPR also states that such measures should include pseudonymisation provided that those purposes can be fulfilled in that manner. Therefore, it is advised that processing for the aforementioned purposes should primarily be based on anonymous data , or, if not possible, pseudonymous data or personal data. With regard to the potentially large number of data subjects involved to conduct a data protection impact assessment (according to Art. 35 GDPR) should be considered, taking into account applicable national implementation of Art. 89(1) GDPR as well as “black-“ and “whitelists” issued by the competent supervisory authority (Art. 35(4) GDPR).
Establishing Informational Self-Determination in MARCONI
To provide the data subject with maximal control on “his”/”her” data and to demonstrate which data are processed in what manner and on which legal basis, University of Vienna recommended the use of a register of processing activities using privacy or consent management software. This seemed to be especially important as a large amount of processing activities are conducted by third party service providers (processors). The technical partners of the consortium provided the “PriVaults” system – an example of successful integration of privacy considerations in the early design phase (privacy-by-design).
It is important to determine a proper legal basis for each processing purpose. This granularity is especially important regarding the declaration of consent: the user must be able to consent and withdraw consent on each processing purpose separately (which should be as easy as to give consent).
PriVaults is based on the declarations of consent by the users. Before data are processed MARCONI presents each user a fully customizable form for the consent agreement. All possible processing purposes, the personal data in question as well as the respective information regarding the controller is presented in this form and the user actively chooses which service he or she wants to use and which processing activities are required for the respective service. While the user is presented with the necessary information according to Art. 13 GDPR, he or she will specifically be shown the related purposes. Complying with informational provisions also means to communicate with the data subject in an easily accessible form. Considering that the user will be unfamiliar with a privacy management system, special attention should be paid to providing information to the data subject on a level that allows them to exercise their rights. Therefore, it shall be imperative to provide information on a top level before presenting more detailed information and application specific agreements as well as special purposes. This can be done in a short and precise outline. As the burden of proof is on the controller according to Art 5(2) and 7(4) GDPR, MARCONI should declare why it needs which personal data and for what purpose (principle of purpose limitation).
The PriVaults system enables the controller to see what datasets out of the data container of each user may be extracted for which purpose on the basis of the consent agreement. The use of PriVaults requires the controller to list all processing activities and purposes in the necessary granularity. Special attention should be paid to processing purposes to comply with the purpose limitation principle. Notions of consent shall be tailored to suit the demands of the application ensuring that no excessive processing of personal data is conducted (data minimisation).
To further prevent misuse, the DPO of an organization using PriVaults will be able to monitor the compliance with data protection principles through analysis of permissions granted to an application and comparison of agreements presented to the data subject. As stated in Rec. 77 and Art. 35(2) GDPR, the necessary measures to be conducted by the controller shall be undertaken according to the input of a DPO, internal procedures or approved certifications pursuant to Art. 42(5) GDPR. This workflow is further supported by PriVaults through extensive log data documenting access, application permissions and data containers. Each application must be registered and automatically obtains keys for authentication methods.
In the case of these authentication processes, data minimisation is also important in order to safeguard rights of the data subjects. Authentication via an email token may be considered a viable solution. However, since end users in general do not appreciate having to create profiles or provide their email address different authentication methods are employed, such as the use of session IDs. PriVaults can even manage consent agreements based on this method. In this case, a data subject will, if confronted with a web interface, be asked for no additional personal information.
The related structure for the privacy system is designed as a hierarchy with application and user collections, enabling dynamic data retrieval which can be structured according to the wishes of the controller and are operated through GraphQL. To comply with data protection principles as laid out in Art. 5 and 25 GDPR (data minimisation, privacy by design), data is stored separately and applications may only request each dataset separately. Purposes in general must be as granular as possible, depending on the service provided, for consent agreements to be valid.
Summary
The MARCONI structure comprises several different services to provide an individualised radio experience. Each of these services requires the processing of personal data. Through the use of granular consent agreement and the PriVaults system as a dynamic consent management system, the MARCONI system gives the user full control over personal data and the possibility to determine the degree of personalisation of the MARCONI services by determining exactly how MARCONI may use personal data for which services. The privacy-by-design approach of MARCONI will support the controller by structuring processing activities and purposes as well as determining the legal basis for each processing activity, while also providing new and innovative radio experience to the user.
Further Reading
MARCONI deliverables, in particular D1.4 and D4.2.
Article-29-WP, Opinion 4/2007 on the concept of personal data, WP136. 2007.
Article-29-WP, Guidelines on Consent under Regulation 2016/679, WP259 rev.01. 2017.
Article-29-WP, Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679, WP 248 rev.01. 2017.
European Union and Agency for Network and Information Security, Privacy and data protection in mobile applications: a study on the app development ecosystem and the technical implementation of GDPR. 2017
European Union and Agency for Network and Information Security, Handbook on security of personal data processing. 2017.
D. Rücker and T. Kugler, Eds., New European General Data Protection Regulation, a practitioner’s guide: ensuring compliant corporate practice, First edition. München : Oxford, United Kingdom : Baden-Baden: C.H. Beck ; Hart ; Nomos, 2018.
P. Voigt and A. von dem Bussche, The EU General Data Protection Regulation (GDPR): a practical guide. Cham, Switzerland: Springer, 2017.
Mathias Reinis, Privacy Impact Assessment: Datenschutz-Folgeabschätzung nach ISO/IEC29134 und ihre Anwendung im Rahmen der EU-DSGVO2. Bonn, Germany: Concept Factory, 2018